Overview

overview

10

Static

static

0d88cfa2c2...04.exe

windows7-x64

7

0d88cfa2c2...04.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0d88cfa2c2d6f7bd237f0cfab2e075f2b3ee328b15c3980ca48f31c77f8f7204

  • Size

    4.6MB

  • Sample

    230129-v86flahb7z

  • MD5

    fa68435c8733319fdc648b1ae7e76ff6

  • SHA1

    afabe1cb32cc64d5c9d1dc3f8330da7cf1a3e2f0

  • SHA256

    0d88cfa2c2d6f7bd237f0cfab2e075f2b3ee328b15c3980ca48f31c77f8f7204

  • SHA512

    4b70d76ab9f9a48f719b4400ffab0ac9914e5e788d7513a9d06ba0593c9b3a7d16f3489ef121c2202a20be6238b76ea839ac5d19becabff196c2cbd6a8655ea1

  • SSDEEP

    49152:n6S5QUskvRLmhAG5JyCE/Wi5MgmHG0G5vKuPIR+vFtP0/VjeYJ1E+kRU1:j5QUskvRCJW+

Score
10/10
servhelperbackdoordiscoveryexploitpersistencetrojanupx

Malware Config

Targets

    • Target

      0d88cfa2c2d6f7bd237f0cfab2e075f2b3ee328b15c3980ca48f31c77f8f7204

    • Size

      4.6MB

    • MD5

      fa68435c8733319fdc648b1ae7e76ff6

    • SHA1

      afabe1cb32cc64d5c9d1dc3f8330da7cf1a3e2f0

    • SHA256

      0d88cfa2c2d6f7bd237f0cfab2e075f2b3ee328b15c3980ca48f31c77f8f7204

    • SHA512

      4b70d76ab9f9a48f719b4400ffab0ac9914e5e788d7513a9d06ba0593c9b3a7d16f3489ef121c2202a20be6238b76ea839ac5d19becabff196c2cbd6a8655ea1

    • SSDEEP

      49152:n6S5QUskvRLmhAG5JyCE/Wi5MgmHG0G5vKuPIR+vFtP0/VjeYJ1E+kRU1:j5QUskvRCJW+

    Score
    10/10
    servhelperbackdoordiscoveryexploitpersistencetrojanupx

    • ServHelper

      ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

      trojanbackdoorservhelper

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies RDP port number used by Windows

    • Possible privilege escalation attempt

      exploit

    • Sets DLL path for service in the registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1
T1098

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

File Permissions Modification

1
T1222

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

1
T1076

Collection

Exfiltration

Command and Control

Impact

Tasks