Overview

overview

10

Static

static

608b93e344...61.exe

windows7_x64

1

608b93e344...61.exe

windows10_x64

10

Analysis

  • max time kernel
    82s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    14-09-2021 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    608b93e344bd3dbb09d0af9da6856061.exe

  • Size

    4.0MB

  • MD5

    608b93e344bd3dbb09d0af9da6856061

  • SHA1

    b7c8bd7bace350d3c9c054ebb58f25535d22ee95

  • SHA256

    5d45cef43fb4c150c33337fb369a89800f9d235eee1dbdac13a8f6fd13bc1ee4

  • SHA512

    6e47bb4688737505af62a8c67cea4143185dc047340d8943d412b5274b229bd24628a31576a3250cdfb69b0b4fcfd74140fe83355f49527e7cf9f465c30ac131

Score
10/10
servhelperxmrigbackdoorminerpersistencetrojan

Malware Config

Signatures

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe
    "C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zboakoxb\zboakoxb.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3748
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BBB.tmp" "c:\Users\Admin\AppData\Local\Temp\zboakoxb\CSC6678B83EFD544333B99B4AFEEE122FE.TMP"
          4⤵
            PID:3716
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4080
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2460
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3688
        • C:\Windows\SysWOW64\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:424
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:1012
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:2364
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2172
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:2784
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:584
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:740
                  • C:\Windows\SysWOW64\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:696
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:1312
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1456
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1544
                    • C:\Windows\SysWOW64\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1572
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:1592
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:2264
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:1012

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                    MD5

                    f3068198b62b4b70404ec46694d632be

                    SHA1

                    7b0b31ae227cf2a78cb751573a9d07f755104ea0

                    SHA256

                    bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8

                    SHA512

                    ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\RES1BBB.tmp
                    MD5

                    261cb7114baae3ece6e3cf0d34d687c1

                    SHA1

                    34fef5e12d4ea071c445862555ccb86efe896ea3

                    SHA256

                    a998df994f127c87295e1dc1343ec203d4399d2b822f781848acd3eaf01282f0

                    SHA512

                    025c3fec8d259ba9d6c35dd787052b74260f45a9a7bb69ea2bea3ad28ca799d6816d7ef65a9ee571c42f38ec2741fec5c7e08cfa9915e79037c8504539225016

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1
                    MD5

                    794bf0ae26a7efb0c516cf4a7692c501

                    SHA1

                    c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2

                    SHA256

                    97753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825

                    SHA512

                    20c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\ready.ps1
                    MD5

                    28d9755addec05c0b24cca50dfe3a92b

                    SHA1

                    7d3156f11c7a7fb60d29809caf93101de2681aa3

                    SHA256

                    abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

                    SHA512

                    891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\zboakoxb\zboakoxb.dll
                    MD5

                    d3edbd045bfff76d67b2c22e68b97e13

                    SHA1

                    a072ccca2930d907a4b0cc33a76dd58711aa4a3e

                    SHA256

                    d520a040375f61b848f15f118743ddd3bd4e0d472951480b0341ebb603d76e90

                    SHA512

                    09ce18f829790f7b61016e4b58367441efb770e708e83e3cc3f23a45f21652c8a99a91920d2b448a073409fdf6200868be1c5e6c1547f46762abd49defce9969

                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\zboakoxb\CSC6678B83EFD544333B99B4AFEEE122FE.TMP
                    MD5

                    9884cdfdca445f9245a876aca44eeb2f

                    SHA1

                    6e5b60de8171e1e7d04437cb038bde7cd58d196f

                    SHA256

                    9adbafb99cceabee6e76d625d9811e9354596df7b2b6d4cde6879dff38d2c9e0

                    SHA512

                    0ccff0c200aa0a6bbc3e36bd001bfe938c499a173a0a9a19ce2e87cbdcf55d86a6a093f4f9c8d18666b0d20443bfeea55b99ffef16036f569fb9b4bbeba57941

                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\zboakoxb\zboakoxb.0.cs
                    MD5

                    9f8ab7eb0ab21443a2fe06dab341510e

                    SHA1

                    2b88b3116a79e48bab7114e18c9b9674e8a52165

                    SHA256

                    e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

                    SHA512

                    53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\zboakoxb\zboakoxb.cmdline
                    MD5

                    d0ca721556c0aecac84c63153d13ac60

                    SHA1

                    141718caaa783b7114956ea839226442453e4852

                    SHA256

                    2a94500f7cddc780b6bb28564b11724d696c4b90832a453d4c40a4f392ca7c16

                    SHA512

                    7b89f9cd9353f335231df0b192370de56d9d8f5b192574008f52d82dcd0568e940fd2403faa7d3209333f236c3e0a1bf552ff826a46c631c7ebe969b02b77e84

                    Download Submit

                  • memory/424-962-0x0000000000000000-mapping.dmp

                    Download

                  • memory/584-1005-0x0000000000000000-mapping.dmp

                    Download

                  • memory/696-1007-0x0000000000000000-mapping.dmp

                    Download

                  • memory/740-1006-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1012-1026-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1012-963-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1312-1008-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1456-1009-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1544-1010-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1572-1011-0x0000000000000000-mapping.dmp

                    Download

                  • memory/1592-1012-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2172-1001-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2264-1025-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2364-964-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2460-536-0x000000007F000000-0x000000007F001000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2460-444-0x00000000045B2000-0x00000000045B3000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2460-442-0x00000000045B0000-0x00000000045B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2460-432-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2784-1002-0x0000000000000000-mapping.dmp

                    Download

                  • memory/3548-120-0x0000000004D02000-0x0000000004D03000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3548-121-0x0000000004D03000-0x0000000004D04000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3548-124-0x0000000004D04000-0x0000000004D05000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3548-122-0x00000000058C0000-0x00000000058C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3548-123-0x0000000007C00000-0x0000000007C01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3548-119-0x0000000004D00000-0x0000000004D01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3548-115-0x0000000005120000-0x000000000551F000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3548-118-0x0000000005750000-0x0000000005751000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3548-117-0x0000000005A20000-0x0000000005A21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-130-0x00000000066C0000-0x00000000066C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-176-0x0000000008E00000-0x0000000008E01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-155-0x00000000066C3000-0x00000000066C4000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-153-0x0000000008AA0000-0x0000000008AA1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-125-0x0000000000000000-mapping.dmp

                    Download

                  • memory/3644-128-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-129-0x0000000006D00000-0x0000000006D01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-131-0x00000000066C2000-0x00000000066C3000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-133-0x0000000007330000-0x0000000007331000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-1053-0x000000007EDD0000-0x000000007EDD1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-145-0x0000000008A20000-0x0000000008A21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-144-0x0000000009380000-0x0000000009381000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-132-0x0000000006C30000-0x0000000006C31000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-138-0x0000000007D20000-0x0000000007D21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-137-0x0000000007EB0000-0x0000000007EB1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-136-0x0000000007400000-0x0000000007401000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-135-0x00000000075F0000-0x00000000075F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3688-700-0x0000000004D92000-0x0000000004D93000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3688-744-0x000000007EF30000-0x000000007EF31000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3688-699-0x0000000004D90000-0x0000000004D91000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3688-683-0x0000000000000000-mapping.dmp

                    Download

                  • memory/3716-149-0x0000000000000000-mapping.dmp

                    Download

                  • memory/3748-146-0x0000000000000000-mapping.dmp

                    Download

                  • memory/4080-212-0x0000000008B40000-0x0000000008B41000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4080-213-0x000000007E860000-0x000000007E861000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4080-211-0x0000000008990000-0x0000000008991000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4080-206-0x0000000008830000-0x0000000008831000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4080-198-0x0000000008850000-0x0000000008883000-memory.dmp

                    Filesize

                    204KB

                    Download

                  • memory/4080-187-0x0000000004672000-0x0000000004673000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4080-186-0x0000000004670000-0x0000000004671000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4080-177-0x0000000000000000-mapping.dmp

                    Download

                  • memory/4080-406-0x0000000008AE0000-0x0000000008AE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4080-412-0x0000000008AD0000-0x0000000008AD1000-memory.dmp

                    Filesize

                    4KB

                    Download