Timeline
psexecsvc being created as a result of a remote psexec connection
Tue Nov 27 2012 00:05:48 181064 macb r/rrwxrwxrwx 0 0 10784-128-3 c:/WINDOWS/PSEXESVC.EXE
Modified times would indicate the following tools were copied from a different machine
Tue Nov 27 2012 00:20:33 303104 m... r/rrwxrwxrwx 0 0 10365-128-3 c:/WINDOWS/webui/gs.exe
Tue Nov 27 2012 00:20:40 403968 m... r/rrwxrwxrwx 0 0 10380-128-3 c:/WINDOWS/webui/ra.exe
Tue Nov 27 2012 00:20:46 208384 m... r/rrwxrwxrwx 0 0 10881-128-3 c:/WINDOWS/webui/wc.exe
Tue Nov 27 2012 00:29:06 56 ...b d/drwxrwxrwx 0 0 10008-144-6 c:/Documents and Settings/sysbackup
56 m.c. d/drwxrwxrwx 0 0 3389-144-6 c:/Documents and Settings
56 .a.. d/dr-xr-xr-x 0 0 3390-144-7 c:/Documents and Settings/Default User
360 .a.. d/d--x--x--x 0 0 3411-144-1 c:/Documents and Settings/Default User/Application Data
496 .a.. d/drwxrwxrwx 0 0 3412-144-1 c:/Documents and Settings/Default User/Application Data/Microsoft
152 .a.. d/drwxrwxrwx 0 0 3475-144-1 c:/Documents and Settings/Default User/Cookies
56 .a.. d/d--x--x--x 0 0 3482-144-5 c:/Documents and Settings/Default User/SendTo
256 .a.. d/d-wx-wx-wx 0 0 3483-144-1 c:/Documents and Settings/Default User/Start Menu
696 .a.. d/d-wx-wx-wx 0 0 3486-144-1 c:/Documents and Settings/Default User/Start Menu/Programs
152 .a.. d/d-wx-wx-wx 0 0 3488-144-1 c:/Documents and Settings/Default User/Start Menu/Programs/Startup
56 .a.. d/d--x--x--x 0 0 3490-144-6 c:/Documents and Settings/Default User/Local Settings
256 .a.. d/dr-xr-xr-x 0 0 3492-144-1 c:/Documents and Settings/Default User/Local Settings/Application Data
256 .a.. d/drwxrwxrwx 0 0 3493-144-1 c:/Documents and Settings/Default User/Local Settings/Temporary Internet Files
256 .a.. d/drwxrwxrwx 0 0 3494-144-1 c:/Documents and Settings/Default User/Local Settings/History
56 .a.. d/d-wx-wx-wx 0 0 6182-144-6 c:/Documents and Settings/Default User/Start Menu/Programs/Accessories
Skipping...
Tue Nov 27 2012 00:44:15 61440 .a.. r/rrwxrwxrwx 0 0 453-128-3 c:/WINDOWS/system32/ipconfig.exe
system.dll is created
Tue Nov 27 2012 00:44:16 5711 mac. r/rrwxrwxrwx 0 0 10872-128-3 c:/WINDOWS/webui/system.dll
net1.exe is accessed indicating the net command was ran
Tue Nov 27 2012 00:44:16 120320 .a.. r/rrwxrwxrwx 0 0 458-128-3 c:/WINDOWS/system32/net1.exe
gs.exe is copied to the machine (gsecdump)
Tue Nov 27 2012 00:53:49 303104 ..cb r/rrwxrwxrwx 0 0 10365-128-3 c:/WINDOWS/webui/gs.exe
system.dll is created
Tue Nov 27 2012 00:55:41 1230 ...b r/rrwxrwxrwx 0 0 10780-128-3 c:/WINDOWS/webui/svchost.dll
gs.exe is ran (gsecdump). It would also appear that svchost.dll is being populated with hashes.
Tue Nov 27 2012 00:56:43 303104 .a.. r/rrwxrwxrwx 0 0 10365-128-3 c:/WINDOWS/webui/gs.exe
1230 m.c. r/rrwxrwxrwx 0 0 10780-128-3 c:/WINDOWS/webui/svchost.dll
799232 .a.. r/rrwxrwxrwx 0 0 307-128-3 c:/WINDOWS/system32/lsasrv.dll
34816 .a.. r/rrwxrwxrwx 0 0 308-128-3 c:/WINDOWS/system32/cryptdll.dll
462848 .a.. r/rrwxrwxrwx 0 0 310-128-3 c:/WINDOWS/system32/samsrv.dll
svchost.dll is accessed
Tue Nov 27 2012 00:57:20 1230 .a.. r/rrwxrwxrwx 0 0 10780-128-3 c:/WINDOWS/webui/svchost.dll
https.dll is placed on the machine. Large amounts of directories begin being accessed as well, like a scan
Tue Nov 27 2012 01:00:27 5282 ...b r/rrwxrwxrwx 0 0 10875-128-3 c:/WINDOWS/webui/https.dll
ra.exe gets placed on the system
Tue Nov 27 2012 01:05:24 403968 ..cb r/rrwxrwxrwx 0 0 10380-128-3 c:/WINDOWS/webui/ra.exe
WinRAR user profile created for sysbackup user indicating winrar was executed
Tue Nov 27 2012 01:05:55 48 macb d/drwxrwxrwx 0 0 10877-144-1 c:/Documents and Settings/sysbackup/Application Data/WinRAR
ra.exe is executed and at the same time .dwg files are accessed as well as netstat.dll and system4.bat are created
Tue Nov 27 2012 01:11:19 403968 .a.. r/rrwxrwxrwx 0 0 10380-128-3 c:/WINDOWS/webui/ra.exe
2048000 .a.. r/rrwxrwxrwx 0 0 10672-128-3 c:/Engineering/Designs/Pumps/pump1.dwg
2048000 .a.. r/rrwxrwxrwx 0 0 10681-128-3 c:/Engineering/Designs/Pumps/pump10.dwg
131 .a.b r/rrwxrwxrwx 0 0 10876-128-1 c:/WINDOWS/system32/system4.bat
109092 ...b r/rrwxrwxrwx 0 0 10878-128-3 c:/WINDOWS/webui/netstat.dll
Note: pump1.dwg - pump100.dwg are accessed in a 21 second time span
322 ...b r/rrwxrwxrwx 0 0 10880-128-1 c:/WINDOWS/Tasks/At1.job
456 mac. d/drwxrwxrwx 0 0 5639-144-1 c:/WINDOWS/Tasks
24576 .a.. r/rrwxrwxrwx 0 0 652-128-3 c:/WINDOWS/system32/at.exe
wc.exe is copied and executed
Tue Nov 27 2012 01:23:36 56 mac. d/drwxrwxrwx 0 0 10871-144-5 c:/WINDOWS/webui
208384 .acb r/rrwxrwxrwx 0 0 10881-128-3 c:/WINDOWS/webui/wc.exe
Tue Nov 27 2012 01:30:00 322 mac. r/rrwxrwxrwx 0 0 10880-128-1 c:/WINDOWS/Tasks/At1.job
Tue Nov 27 2012 01:42:21 95104 m... r/rrwxrwxrwx 0 0 10882-128-3 c:/mdd.exe
Memory
PSEXECSVC running out of services.exe
vol.py pslist -f memdump.bin --profile=Win2003SP0x86
Volatile Systems Volatility Framework 2.2
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- --------------------
0x822b07a8 System 4 0 60 434 ------ 0
0x82103020 smss.exe 404 4 3 17 ------ 0 2012-11-26 22:04:57
0x820ecd88 csrss.exe 452 404 11 388 0 0 2012-11-26 22:04:58
0x82003d88 winlogon.exe 484 404 17 514 0 0 2012-11-26 22:05:00
0x81ff9b08 services.exe 528 484 16 289 0 0 2012-11-26 22:05:01
0x81ff45c8 lsass.exe 540 484 36 487 0 0 2012-11-26 22:05:01
0x81fe9d88 svchost.exe 768 528 10 184 0 0 2012-11-26 22:05:03
0x81fb9cd8 svchost.exe 848 528 8 126 0 0 2012-11-26 22:05:03
0x81fbc020 svchost.exe 868 528 5 78 0 0 2012-11-26 22:05:03
0x81fb3668 svchost.exe 900 528 45 807 0 0 2012-11-26 22:05:03
0x81f9c498 spoolsv.exe 1084 528 8 103 0 0 2012-11-26 22:05:19
0x81f92020 msdtc.exe 1112 528 19 163 0 0 2012-11-26 22:05:19
0x81f84888 svchost.exe 1260 528 2 52 0 0 2012-11-26 22:05:27
0x81f7ac78 inetinfo.exe 1312 528 8 151 0 0 2012-11-26 22:05:27
0x81f82ad8 svchost.exe 1344 528 2 33 0 0 2012-11-26 22:05:27
0x81f77388 wins.exe 1388 528 19 196 0 0 2012-11-26 22:05:27
0x81c94d88 dfssvc.exe 1608 528 9 70 0 0 2012-11-26 22:05:31
0x81f6a9d0 svchost.exe 1656 528 15 138 0 0 2012-11-26 22:05:31
0x81c39608 explorer.exe 1928 1896 9 277 0 0 2012-11-26 22:05:47
0x81c0c200 svchost.exe 256 528 15 120 0 0 2012-11-26 22:06:05
0x81bff828 wuauclt.exe 860 900 5 69 0 0 2012-11-26 22:06:44
0x81bfc268 wmiprvse.exe 1080 768 4 136 0 0 2012-11-26 22:06:44
0x81f7f2b0 PSEXESVC.EXE 268 528 4 85 0 0 2012-11-27 00:05:49
0x81c3f020 cmd.exe 756 1928 1 22 0 0 2012-11-27 01:50:29
0x81f8d020 mdd.exe 508 756 1 25 0 0 2012-11-27 01:52:37
vol.py connscan -f memdump.bin --profile=Win2003SP0x86
Volatile Systems Volatility Framework 2.2
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x01f19328 172.16.223.47:1113 172.16.150.10:445 988
0x01f52008 172.16.223.47:1112 172.16.150.10:1025 540
0x01fbc428 172.16.223.47:139 172.16.150.10:1750 4
0x01febb10 172.16.223.47:1137 172.16.150.10:135 540
0x01ff8e70 172.16.223.47:445 172.16.150.20:1235 4
0x0200b3c8 172.16.223.47:1150 172.16.150.10:135 540
0x02010cd8 172.16.223.47:42 172.16.150.10:1824 1388
0x020129c8 172.16.223.47:445 172.16.223.187:1210 4
0x02369ab8 172.16.223.47:1031 172.16.150.10:42 1388
0x02383008 172.16.223.47:1160 172.16.150.10:1025 540
0x02419a10 172.16.223.47:1164 172.16.150.10:445 4
0x025dbcd0 172.16.223.47:1165 172.16.150.10:139 4
0x02663920 172.16.223.47:1159 172.16.150.10:135 540
0x0d9f2920 172.16.223.47:1159 172.16.150.10:135 540
0x0da0acd0 172.16.223.47:1165 172.16.150.10:139 4
0x0da619c8 172.16.223.47:445 172.16.223.187:1210 4
0x0daffcd8 172.16.223.47:42 172.16.150.10:1824 1388
0x0db1fe70 172.16.223.47:445 172.16.150.20:1235 4
0x0db38ab8 172.16.223.47:1031 172.16.150.10:42 1388
0x0dbe8a10 172.16.223.47:1164 172.16.150.10:445 4
0x0dcd2008 172.16.223.47:1160 172.16.150.10:1025 540
0x0dd59008 172.16.223.47:1112 172.16.150.10:1025 540
0x0dde0328 172.16.223.47:1113 172.16.150.10:445 988
0x0defa3c8 172.16.223.47:1150 172.16.150.10:135 540
0x0dfa3428 172.16.223.47:139 172.16.150.10:1750 4
0x0e072b10 172.16.223.47:1137 172.16.150.10:135 540
0x16f7eab8 172.16.223.47:1031 172.16.150.10:42 1388
0x16ffb920 172.16.223.47:1159 172.16.150.10:135 540
0x17163cd0 172.16.223.47:1165 172.16.150.10:139 4
0x17219a10 172.16.223.47:1164 172.16.150.10:445 4
0x172f7cd8 172.16.223.47:42 172.16.150.10:1824 1388
0x17317e70 172.16.223.47:445 172.16.150.20:1235 4
0x174959c8 172.16.223.47:445 172.16.223.187:1210 4
0x176ba008 172.16.223.47:1160 172.16.150.10:1025 540
0x177db3c8 172.16.223.47:1150 172.16.150.10:135 540
0x1781c428 172.16.223.47:139 172.16.150.10:1750 4
0x17936328 172.16.223.47:1113 172.16.150.10:445 988
0x179b3008 172.16.223.47:1112 172.16.150.10:1025 540
0x17c50b10 172.16.223.47:1137 172.16.150.10:135 540
0000370: fc1c f003 0000 7300 7900 7300 6200 6100 ......s.y.s.b.a.
0000380: 6300 6b00 7500 7000 0000 4900 4900 5300 c.k.u.p...I.I.S.
0000390: 2d00 5300 4100 5200 4900 5900 4100 4400 -.S.A.R.I.Y.A.D.
00003a0: 4800 2d00 3000 3300 0000 2800 3000 7800 H.-.0.3...(.0.x.
00003b0: 3000 2c00 3000 7800 3500 3700 3200 3500 0.,.0.x.5.7.2.5.
00003c0: 3700 3300 2900 0000 3300 0000 4e00 7400 7.3.)...3...N.t.
00003d0: 4c00 6d00 5300 7300 7000 2000 0000 4e00 L.m.S.s.p. ...N.
00003e0: 5400 4c00 4d00 0000 4600 4c00 4400 2d00 T.L.M...F.L.D.-.
00003f0: 5300 4100 5200 4900 5900 4100 4400 4800 S.A.R.I.Y.A.D.H.
0000400: 2d00 3400 3300 0000 2d00 0000 2d00 0000 -.4.3...-...-...
0000410: 2d00 0000 2d00 0000 2d00 0000 2d00 0000 -...-...-...-...
0000420: 3100 3700 3200 2e00 3100 3600 2e00 3200 1.7.2...1.6...2.
0000430: 3200 3300 2e00 3100 3800 3700 0000 3000 2.3...1.8.7...0.
515426928 psexec-FLD-SARIYADH-43-1600
516449152 psexec-FLD-SARIYADH-43-664
516576728 psexec-FLD-SARIYADH-43-420
523216208 psexec-FLD-SARIYADH-43-1020
Attacker tool drop directory being shared with full perms for sysbackup user
482666851 net share z=c:\windows\webui /GRANT:sysbackup,FULL
Rar command that will archive named netstat.dll with the contents of the Pumps directory excluding all dll's with the password hclllsddlsdiddklljh
485343532 c:\windows\webui\ra.exe a -hphclllsddlsdiddklljh -r c:\windows\webui\netstat.dll "C:\Engineering\Designs\Pumps" -x*.dll
unrar e 00071528.rar
UNRAR 4.20 beta 3 freeware Copyright (c) 1993-2012 Alexander Roshal
Enter password (will not be echoed) for 00071528.rar:
Extracting from 00071528.rar
Extracting pump1.dwg OK
Extracting pump10.dwg OK
Extracting pump100.dwg OK
Extracting pump11.dwg 0%
CRC failed in the encrypted file Engineering/Designs/Pumps/pump11.dwg. Corrupt file or wrong password.
CRC failed in the encrypted file 00071528.rar. Corrupt file or wrong password.
Total errors: 2
531785668 C:\WINDOWS\Tasks\At1.job
531785732 wc.exe -e -o h.out
531785784 At 4:30 AM oPETRO-MARKET
62817098 "At1.job" (wc.exe) 11/27/2012 4:30:00 AM ** ERROR **
62817206 Unable to start task.
62817254 The specific error is:
Local administrator hash found in memory
Administrator(current):500:b7ae6225a35c376da8d03b0a558fdf1f:159cb99e6dfd8830d25e8592c505d4be:::
No comments:
Post a Comment