Analysis
-
max time kernel
110s -
max time network
122s -
submitted
01-01-1970 00:00
General
-
Target
edc29fe698230e37846eaa00d4aeed60550c09674bf628237c9b942e0085d121.exe
-
Size
4.3MB
-
MD5
239348d287c11a59a46078a95c0274ba
-
SHA1
e27f3e5a2c8b629d799d3d04396fcec50c435e6f
-
SHA256
edc29fe698230e37846eaa00d4aeed60550c09674bf628237c9b942e0085d121
-
SHA512
69f0ef71d9d358ceb4a73345cefa48a8e388f6a9dd62aa82487fbe1983c8d372dd40407e756ac7245d45b85fdcc2c4b538b02d6a7b9cb3f874ea64cb0cbc0397
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 8 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\edc29fe698230e37846eaa00d4aeed60550c09674bf628237c9b942e0085d121.exe"C:\Users\Admin\AppData\Local\Temp\edc29fe698230e37846eaa00d4aeed60550c09674bf628237c9b942e0085d121.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d5pplxag\d5pplxag.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD66B.tmp" "c:\Users\Admin\AppData\Local\Temp\d5pplxag\CSC5CA27E7958FB43B9BA8F4AEDFF411038.TMP"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f3068198b62b4b70404ec46694d632be
SHA17b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795
-
MD5
a1e3bc4d799d80e8f605edb7b4557170
SHA1992a14ec8160c7008d9617825abb22049fd226d0
SHA25675b25971299657b7927ee243eaf264e46e6c9bfd3152cd7f9b50351479b1f6bf
SHA512af2a7543fc848e939ec29ff762b1d55238b81af15a86361b978c0e6e639a552f73e4f7b422d05852334feb8fd5de33f52c7a5fba6a04920f5d2b330f336f2acd
-
MD5
4cb5a32500b106badb8a23717fd772eb
SHA1cf7308ebfb56fa5d54bd504b0df74da0279f3841
SHA25657124b1ae3d4c4a03bf18fc96202b1391ba570928e7bc59c2795383bbe47340f
SHA512c96bf46b652871312446c29249831b55186a0a0aa70efaecf8eb6392f6ff6281c0639b3490d39310963aed8c7329f43a6528d98287a4125229b3b0bb9a7eeb6f
-
MD5
794bf0ae26a7efb0c516cf4a7692c501
SHA1c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2
SHA25697753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825
SHA51220c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75
-
MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
MD5
361c765e4cfdb4d6cb5a1ae580cf7129
SHA1af25ea0a45919077c8326affcebf21045e513f18
SHA256a984d8073b720d0f61db16e4be1310864caf238cbc5d1c360998c61ac25b1ebb
SHA5124e920edeb4160b4bc49a05c6135685f2bd47200b52f035bb4a6cab650894215009b81cf2f459350f16a6960da2a09951b3534a9b9c79034df02ccaec818ae017
-
MD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
MD5
72ba6cbf4ed48401ee9d5e4fe79bf0ee
SHA1cb73398b34ec427f13bc2cabb32ed5fba8bc3811
SHA256dc8e037f4055f760d3cd20caebee8dd4d8770d378c741a525267c4f8c658ca50
SHA5127454830453898811b2c77b5a4f1124cbc37da0179fd9c1e114716ead2b7f8b33583f0c03890c65daed6bfb09a1c8fcb7e309068a52bdc424617e1b9a68f5e346
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.0MB
-
Filesize
43.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.0MB
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB