Overview

overview

10

Static

static

748b112881...8e.exe

windows7_x64

1

748b112881...8e.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    26-09-2021 14:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    748b112881047820f530c202bb59488e.exe

  • Size

    4.0MB

  • MD5

    748b112881047820f530c202bb59488e

  • SHA1

    edf77f969bf54a47b21e6179cbcabb4651706d7c

  • SHA256

    82285ac0988c68f9b9ecc7649cb9c6a3f3ecb242dd198465dbd4236d7fa6a59c

  • SHA512

    252640d935ce3c7885fa48496b1b9c405f5dc9e719eda9c965d5fec46f877c00a7d96b14acf7410fbef9dbbfa9723932b54cdc75084fdd54e492eaa8d6f37ad6

Score
10/10
servhelperxmrigbackdoorminerpersistencetrojan

Malware Config

Signatures

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\748b112881047820f530c202bb59488e.exe
    "C:\Users\Admin\AppData\Local\Temp\748b112881047820f530c202bb59488e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3188
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zea4ipco\zea4ipco.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:648
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14A2.tmp" "c:\Users\Admin\AppData\Local\Temp\zea4ipco\CSC3DC7E20752B24731AA2DA089C7149AA5.TMP"
          4⤵
            PID:940
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3680
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3784
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1044
        • C:\Windows\SysWOW64\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:3980
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:1164
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:1812
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2040
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:864
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1428
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:640
                  • C:\Windows\SysWOW64\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3112
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:2356
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:656
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3292
                    • C:\Windows\SysWOW64\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3160
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:3508
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:3680
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:3712

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/1044-698-0x0000000004812000-0x0000000004813000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1044-697-0x0000000004810000-0x0000000004811000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1044-742-0x000000007EE70000-0x000000007EE71000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1840-124-0x0000000007D40000-0x0000000007D41000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1840-115-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1840-123-0x00000000058B0000-0x00000000058B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1840-122-0x0000000000FB4000-0x0000000000FB5000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1840-121-0x00000000058C0000-0x00000000058C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1840-120-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1840-118-0x0000000000FB2000-0x0000000000FB3000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1840-119-0x0000000000FB3000-0x0000000000FB4000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1840-116-0x00000000052E0000-0x00000000056DF000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3188-136-0x0000000007D60000-0x0000000007D61000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3188-132-0x0000000007430000-0x0000000007431000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3188-1052-0x000000007EB50000-0x000000007EB51000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3188-128-0x0000000004E20000-0x0000000004E21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3188-129-0x0000000007080000-0x0000000007081000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3188-130-0x0000000007082000-0x0000000007083000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3188-131-0x00000000076C0000-0x00000000076C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3188-133-0x0000000007600000-0x0000000007601000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3188-135-0x0000000007F90000-0x0000000007F91000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3188-137-0x00000000086A0000-0x00000000086A1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3188-138-0x0000000008600000-0x0000000008601000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3188-144-0x0000000009C60000-0x0000000009C61000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3188-145-0x0000000009320000-0x0000000009321000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3188-176-0x0000000009610000-0x0000000009611000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3188-153-0x0000000009280000-0x0000000009281000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3188-155-0x0000000007083000-0x0000000007084000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3680-198-0x0000000009220000-0x0000000009253000-memory.dmp

                    Filesize

                    204KB

                    Download

                  • memory/3680-206-0x0000000009200000-0x0000000009201000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3680-186-0x00000000052F0000-0x00000000052F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3680-412-0x0000000008E70000-0x0000000008E71000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3680-406-0x0000000009430000-0x0000000009431000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3680-213-0x0000000009550000-0x0000000009551000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3680-212-0x0000000009360000-0x0000000009361000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3680-211-0x000000007F600000-0x000000007F601000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3680-187-0x00000000052F2000-0x00000000052F3000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3784-441-0x00000000072E0000-0x00000000072E1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3784-468-0x000000007F560000-0x000000007F561000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3784-442-0x00000000072E2000-0x00000000072E3000-memory.dmp

                    Filesize

                    4KB

                    Download