Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    127s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    16-10-2021 09:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f464dae032967264173885899186be9eac89bd2016ded5ebc38c705fa6b1b625.exe

  • Size

    6.7MB

  • MD5

    2e3b62f4f1669b3615608ea31e1796dd

  • SHA1

    9f9584588e480c0cfc18b770da47b00919e24219

  • SHA256

    f464dae032967264173885899186be9eac89bd2016ded5ebc38c705fa6b1b625

  • SHA512

    2879f87ce2e3c075512408fbdb17a01209663c2f635c3e07cec1d8e9b1f0490c9219eea2229dcd5863467435d35bef874e9d5fd243e46b02850d0157288b95af

Score
10/10
servhelperxmrigagilenetbackdoorminerpersistencetrojan

Malware Config

Signatures

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Executes dropped EXE 1 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f464dae032967264173885899186be9eac89bd2016ded5ebc38c705fa6b1b625.exe
    "C:\Users\Admin\AppData\Local\Temp\f464dae032967264173885899186be9eac89bd2016ded5ebc38c705fa6b1b625.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:8
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3204
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
        3⤵
        • Deletes itself
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:964
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\swwk0kcn\swwk0kcn.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A3B.tmp" "c:\Users\Admin\AppData\Local\Temp\swwk0kcn\CSCBA413C0FAB3444CF8999DAC8421F5270.TMP"
            5⤵
              PID:1512
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4028
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1476
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4028
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
            4⤵
              PID:1488
            • C:\Windows\SysWOW64\reg.exe
              "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
              4⤵
              • Modifies registry key
              PID:680
            • C:\Windows\SysWOW64\reg.exe
              "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
              4⤵
                PID:1864
              • C:\Windows\SysWOW64\net.exe
                "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2068
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                  5⤵
                    PID:1972
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2304
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2284
                    • C:\Windows\SysWOW64\net.exe
                      net start rdpdr
                      6⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2196
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 start rdpdr
                        7⤵
                          PID:1724
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1384
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3264
                      • C:\Windows\SysWOW64\net.exe
                        net start TermService
                        6⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3512
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 start TermService
                          7⤵
                            PID:3004
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                      4⤵
                        PID:3776
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                        4⤵
                          PID:2952

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/8-126-0x0000000003860000-0x000000000386B000-memory.dmp

                    Filesize

                    44KB

                    Download

                  • memory/8-127-0x00000000075A0000-0x00000000075A1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/8-125-0x0000000005EB0000-0x00000000063AE000-memory.dmp

                    Filesize

                    5.0MB

                    Download

                  • memory/8-124-0x0000000007370000-0x0000000007371000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/8-123-0x00000000073B0000-0x00000000073B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/8-122-0x0000000007310000-0x0000000007331000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/8-121-0x0000000005EB0000-0x00000000063AE000-memory.dmp

                    Filesize

                    5.0MB

                    Download

                  • memory/8-115-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/8-120-0x00000000062C0000-0x00000000062C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/8-119-0x0000000005EB0000-0x0000000005EB1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/8-118-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/8-117-0x00000000063B0000-0x00000000063B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-175-0x0000000007690000-0x0000000007691000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-158-0x0000000008200000-0x0000000008201000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-148-0x0000000003730000-0x0000000003731000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-149-0x0000000003730000-0x0000000003731000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-150-0x00000000073C0000-0x00000000073C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-151-0x0000000007A70000-0x0000000007A71000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-152-0x00000000080E0000-0x00000000080E1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-153-0x0000000008260000-0x0000000008261000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-155-0x0000000008440000-0x0000000008441000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-156-0x0000000007430000-0x0000000007431000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-157-0x0000000007432000-0x0000000007433000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-159-0x0000000008BD0000-0x0000000008BD1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-160-0x0000000008B50000-0x0000000008B51000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-177-0x0000000007433000-0x0000000007434000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-162-0x0000000003730000-0x0000000003731000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-166-0x000000000A030000-0x000000000A031000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-167-0x0000000009880000-0x0000000009881000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-198-0x0000000009C60000-0x0000000009C61000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/964-1082-0x000000007F6F0000-0x000000007F6F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1476-464-0x0000000004EF2000-0x0000000004EF3000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1476-489-0x000000007E820000-0x000000007E821000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1476-463-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3204-142-0x0000000005272000-0x0000000005273000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3204-131-0x0000000000960000-0x0000000000D6B000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3204-138-0x0000000005690000-0x0000000005A8F000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3204-136-0x0000000000960000-0x0000000000961000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3204-141-0x0000000005270000-0x0000000005271000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3204-134-0x0000000000960000-0x0000000000D6B000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3204-143-0x0000000005273000-0x0000000005274000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3204-144-0x0000000005240000-0x0000000005241000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3204-146-0x0000000005274000-0x0000000005275000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4028-201-0x0000000004870000-0x0000000004871000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4028-814-0x000000007EBA0000-0x000000007EBA1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4028-719-0x0000000004DB2000-0x0000000004DB3000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4028-718-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4028-229-0x000000007EEC0000-0x000000007EEC1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4028-209-0x0000000007032000-0x0000000007033000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4028-208-0x0000000007030000-0x0000000007031000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4028-200-0x0000000004870000-0x0000000004871000-memory.dmp

                    Filesize

                    4KB

                    Download