Overview

overview

10

Static

static

1

97e2e89259...ef.exe

windows7_x64

10

97e2e89259...ef.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    179s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 06:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe

  • Size

    4.3MB

  • MD5

    8786f856af7d279d72cf6cac110e3e69

  • SHA1

    52cfb091bbcd1ac44a5bee5dd25707b646a126dc

  • SHA256

    97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef

  • SHA512

    1fd4401394aed60ea4ebc81275d9e33c73e4f79a2ddb34777779d6ce2456c121a5d7a3bff17f744c248a003b1d93cb22552d5e5fbfde3dc740fa67fe8afc123b

Score
10/10
servhelperbackdoordiscoveryexploitpersistencetrojan

Malware Config

Signatures

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • Modifies RDP port number used by Windows 1 TTPs
  • Possible privilege escalation attempt 8 IoCs
    exploit
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • Loads dropped DLL 6 IoCs
  • Modifies file permissions 1 TTPs 8 IoCs
    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe
    "C:\Users\Admin\AppData\Local\Temp\97e2e89259634123c1b80cd93700be7436ecbb61f42c205c9e199bcb2798bdef.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout -t 15& powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\gerta.ps1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\system32\timeout.exe
        timeout -t 15
        3⤵
        • Delays execution with timeout.exe
        PID:1724
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\gerta.ps1
        3⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Windows\system32\takeown.exe
          "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1548
        • C:\Windows\system32\icacls.exe
          "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1716
        • C:\Windows\system32\icacls.exe
          "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:332
        • C:\Windows\system32\icacls.exe
          "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1768
        • C:\Windows\system32\icacls.exe
          "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:700
        • C:\Windows\system32\icacls.exe
          "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1228
        • C:\Windows\system32\icacls.exe
          "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1252
        • C:\Windows\system32\icacls.exe
          "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1920
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          4⤵
            PID:1900
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            4⤵
            • Modifies registry key
            PID:1736
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            4⤵
              PID:948

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      File Permissions Modification

      1
      T1222

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Remote Desktop Protocol

      1
      T1076

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\gerta.ps1
        Filesize

        5.3MB

        MD5

        ba3470f3eb24a5ac1f94cf850ba299f0

        SHA1

        5c122ce2a7c3dd5be355e4c68fddde248c3642a0

        SHA256

        609fb89c303d7cdab7ad1a3059ec53f448354176f8c19ba7a4841ea4b2defb4b

        SHA512

        562f394717dffbd854c3d04569be2c57739f29a84ca152b3d413fa046679999f67fbba439c252fbac0121be6d11bda61f2a2d010461350b9e399d20669490918

        Download Submit
      • C:\Windows\system32\rfxvmt.dll
        Filesize

        40KB

        MD5

        dc39d23e4c0e681fad7a3e1342a2843c

        SHA1

        58fd7d50c2dca464a128f5e0435d6f0515e62073

        SHA256

        6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

        SHA512

        5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

        Download Submit
      • \Users\Admin\AppData\Local\Temp\nst717A.tmp\System.dll
        Filesize

        11KB

        MD5

        fbe295e5a1acfbd0a6271898f885fe6a

        SHA1

        d6d205922e61635472efb13c2bb92c9ac6cb96da

        SHA256

        a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

        SHA512

        2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

        Download Submit
      • \Users\Admin\AppData\Local\Temp\nst717A.tmp\blowfish.dll
        Filesize

        22KB

        MD5

        5afd4a9b7e69e7c6e312b2ce4040394a

        SHA1

        fbd07adb3f02f866dc3a327a86b0f319d4a94502

        SHA256

        053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

        SHA512

        f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

        Download Submit
      • \Users\Admin\AppData\Local\Temp\nst717A.tmp\blowfish.dll
        Filesize

        22KB

        MD5

        5afd4a9b7e69e7c6e312b2ce4040394a

        SHA1

        fbd07adb3f02f866dc3a327a86b0f319d4a94502

        SHA256

        053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

        SHA512

        f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

        Download Submit
      • \Users\Admin\AppData\Local\Temp\nst717A.tmp\blowfish.dll
        Filesize

        22KB

        MD5

        5afd4a9b7e69e7c6e312b2ce4040394a

        SHA1

        fbd07adb3f02f866dc3a327a86b0f319d4a94502

        SHA256

        053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

        SHA512

        f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

        Download Submit
      • \Users\Admin\AppData\Local\Temp\nst717A.tmp\blowfish.dll
        Filesize

        22KB

        MD5

        5afd4a9b7e69e7c6e312b2ce4040394a

        SHA1

        fbd07adb3f02f866dc3a327a86b0f319d4a94502

        SHA256

        053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

        SHA512

        f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

        Download Submit
      • \Users\Admin\AppData\Local\Temp\nst717A.tmp\nsUnzip.dll
        Filesize

        146KB

        MD5

        77a26c23948070dc012bba65e7f390aa

        SHA1

        7e112775770f9b3b24e2a238b5f7c66f8802e5d8

        SHA256

        4e4e429ecf1c49119a21c817899f64152b03b41b036fc1d92aee335043364c43

        SHA512

        2e7ffa4ed5c97f555e1b0d6f55ffcfd53cd28302fc77d95fdaea89e0b6b42e67e366331e52358e78e8266d079cc2ca3ea4c909197fb38a5b4c8151c7678d0065

        Download Submit
      • memory/332-72-0x0000000000000000-mapping.dmp
        Download
      • memory/700-74-0x0000000000000000-mapping.dmp
        Download
      • memory/948-80-0x0000000000000000-mapping.dmp
        Download
      • memory/1228-75-0x0000000000000000-mapping.dmp
        Download
      • memory/1252-76-0x0000000000000000-mapping.dmp
        Download
      • memory/1548-69-0x0000000000000000-mapping.dmp
        Download
      • memory/1680-54-0x0000000075C51000-0x0000000075C53000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1716-71-0x0000000000000000-mapping.dmp
        Download
      • memory/1724-62-0x0000000000000000-mapping.dmp
        Download
      • memory/1736-79-0x0000000000000000-mapping.dmp
        Download
      • memory/1768-73-0x0000000000000000-mapping.dmp
        Download
      • memory/1900-78-0x0000000000000000-mapping.dmp
        Download
      • memory/1920-77-0x0000000000000000-mapping.dmp
        Download
      • memory/1984-63-0x0000000000000000-mapping.dmp
        Download
      • memory/1984-68-0x000000000277B000-0x000000000279A000-memory.dmp
        Filesize

        124KB

        Download
      • memory/1984-65-0x000007FEF3DB0000-0x000007FEF490D000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/1984-66-0x0000000002774000-0x0000000002777000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1984-64-0x000007FEFC3E1000-0x000007FEFC3E3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2016-61-0x0000000000000000-mapping.dmp
        Download