Overview

overview

10

Static

static

608b93e344...61.exe

windows7_x64

1

608b93e344...61.exe

windows10_x64

10

Analysis

  • max time kernel
    82s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    14-09-2021 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    608b93e344bd3dbb09d0af9da6856061.exe

  • Size

    4.0MB

  • MD5

    608b93e344bd3dbb09d0af9da6856061

  • SHA1

    b7c8bd7bace350d3c9c054ebb58f25535d22ee95

  • SHA256

    5d45cef43fb4c150c33337fb369a89800f9d235eee1dbdac13a8f6fd13bc1ee4

  • SHA512

    6e47bb4688737505af62a8c67cea4143185dc047340d8943d412b5274b229bd24628a31576a3250cdfb69b0b4fcfd74140fe83355f49527e7cf9f465c30ac131

Score
10/10
servhelperxmrigbackdoorminerpersistencetrojan

Malware Config

Signatures

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe
    "C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zboakoxb\zboakoxb.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3748
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BBB.tmp" "c:\Users\Admin\AppData\Local\Temp\zboakoxb\CSC6678B83EFD544333B99B4AFEEE122FE.TMP"
          4⤵
            PID:3716
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4080
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2460
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3688
        • C:\Windows\SysWOW64\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:424
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:1012
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:2364
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2172
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:2784
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:584
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:740
                  • C:\Windows\SysWOW64\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:696
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:1312
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1456
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1544
                    • C:\Windows\SysWOW64\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1572
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:1592
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:2264
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:1012

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/2460-536-0x000000007F000000-0x000000007F001000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2460-444-0x00000000045B2000-0x00000000045B3000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2460-442-0x00000000045B0000-0x00000000045B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3548-120-0x0000000004D02000-0x0000000004D03000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3548-121-0x0000000004D03000-0x0000000004D04000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3548-124-0x0000000004D04000-0x0000000004D05000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3548-122-0x00000000058C0000-0x00000000058C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3548-123-0x0000000007C00000-0x0000000007C01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3548-119-0x0000000004D00000-0x0000000004D01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3548-115-0x0000000005120000-0x000000000551F000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3548-118-0x0000000005750000-0x0000000005751000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3548-117-0x0000000005A20000-0x0000000005A21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-130-0x00000000066C0000-0x00000000066C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-176-0x0000000008E00000-0x0000000008E01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-155-0x00000000066C3000-0x00000000066C4000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-153-0x0000000008AA0000-0x0000000008AA1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-128-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-129-0x0000000006D00000-0x0000000006D01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-131-0x00000000066C2000-0x00000000066C3000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-133-0x0000000007330000-0x0000000007331000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-1053-0x000000007EDD0000-0x000000007EDD1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-145-0x0000000008A20000-0x0000000008A21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-144-0x0000000009380000-0x0000000009381000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-132-0x0000000006C30000-0x0000000006C31000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-138-0x0000000007D20000-0x0000000007D21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-137-0x0000000007EB0000-0x0000000007EB1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-136-0x0000000007400000-0x0000000007401000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3644-135-0x00000000075F0000-0x00000000075F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3688-700-0x0000000004D92000-0x0000000004D93000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3688-744-0x000000007EF30000-0x000000007EF31000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3688-699-0x0000000004D90000-0x0000000004D91000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4080-212-0x0000000008B40000-0x0000000008B41000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4080-213-0x000000007E860000-0x000000007E861000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4080-211-0x0000000008990000-0x0000000008991000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4080-206-0x0000000008830000-0x0000000008831000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4080-198-0x0000000008850000-0x0000000008883000-memory.dmp

                    Filesize

                    204KB

                    Download

                  • memory/4080-187-0x0000000004672000-0x0000000004673000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4080-186-0x0000000004670000-0x0000000004671000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4080-406-0x0000000008AE0000-0x0000000008AE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4080-412-0x0000000008AD0000-0x0000000008AD1000-memory.dmp

                    Filesize

                    4KB

                    Download