INFO
PSEXEC
PSEXEC is dropped as dllhost.dat under c:\windows location. Its mainly used for propagation.
Some links
CLICK FOR Info on Lateral Movement *
CLICK FOR Lateral Movement / Propagation Video *
File a.dll is the malicious DLL. After the internal scan, payload is propagated to live machines
| Process | Func | Param |
|---|---|---|
| rundll32.exe | CreateFile | \\;RdpDr\;:1\172.16.177.2\admin$\ |
| rundll32.exe | CreateFile | \\;RdpDr\;:1\172.16.177.254\admin$\ |
| rundll32.exe | CreateFile | \\;RdpDr\;:1\10.0.0.2\admin$\ |
| rundll32.exe | CreateFile | \\;RdpDr\;:1\172.16.177.149\admin$\ |
| rundll32.exe | CreateFile | C:\Program Files (x86)\Icecast\admin |
| rundll32.exe | QueryDirectory | C:\Program Files (x86)\Icecast\admin\* |
| rundll32.exe | ReadFile | C:\Program Files (x86)\Icecast\admin |
| rundll32.exe | QueryDirectory | C:\Program Files (x86)\Icecast\admin |
| rundll32.exe | QueryDirectory | C:\Program Files (x86)\Icecast\admin |
| rundll32.exe | CloseFile | C:\Program Files (x86)\Icecast\admin |
| rundll32.exe | CreateFile | C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Include\ahadmin.h |
| rundll32.exe | CreateFile | \\172.16.177.2\admin$\a |
| rundll32.exe | CreateFile | \\172.16.177.2\admin$\a.dll |
| rundll32.exe | CreateFile | \\172.16.177.149\admin$\a |
| rundll32.exe | CreateFile | \\10.0.0.2\admin$\a |
| rundll32.exe | CreateFile | \\172.16.177.149\admin$\a.dll |
| rundll32.exe | CreateFile | \\10.0.0.2\admin$\a.dll |
| rundll32.exe | CreateFile | \\172.16.177.254\admin$\a |
| rundll32.exe | CreateFile | \\172.16.177.254\admin$\a.dll |
| rundll32.exe | CreateFile | \\;RdpDr\;:1\10.0.0.11\admin$\ |
| rundll32.exe | CreateFile | \\10.0.0.11\admin$\a |
| rundll32.exe | CreateFile | \\10.0.0.11\admin$\a.dll |