servhelper | 153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772 | Triage

Submit
Reports

Overview

overview

Static

static

153c4863fe...72.exe

windows7_x64

8

153c4863fe...72.exe

windows10-2004_x64

Sharing

General

Target

153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772
Size

4.7MB
Sample

220419-qwf8qaecc6
MD5

178e442aa91768f00d754b395bb5c89e
SHA1

ff7ea0a36080deb166178b7fca97d33955d55dfa
SHA256

153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772
SHA512

2db61a73bc22cc283aee3bdb8420ca9f5617869afa1df74fc8672c7fce9ac014ead0be496de8bfa7764f4ba5288b6f87db142d4791a505a969daea95df7cbca6

Score

10^/10

servhelper backdoor discovery exploit persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe

Resource

win7-20220414-en

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772.exe

Resource

win10v2004-20220414-en

servhelper backdoor discovery exploit persistence trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772
- Size
  
  4.7MB
- MD5
  
  178e442aa91768f00d754b395bb5c89e
- SHA1
  
  ff7ea0a36080deb166178b7fca97d33955d55dfa
- SHA256
  
  153c4863fef90fb2e1d89aed48deab4c740ef8b54c39f0fdb4b2f3f8556ff772
- SHA512
  
  2db61a73bc22cc283aee3bdb8420ca9f5617869afa1df74fc8672c7fce9ac014ead0be496de8bfa7764f4ba5288b6f87db142d4791a505a969daea95df7cbca6
Score

10^/10

servhelper backdoor discovery exploit persistence trojan
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Executes dropped EXE
- Modifies RDP port number used by Windows
- Possible privilege escalation attempt
  exploit
- Sets DLL path for service in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Account Manipulation

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Account Manipulation

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Remote Desktop Protocol

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

servhelperbackdoordiscoveryexploitpersistencetrojan

© 2018-2024

Terms | Privacy