Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
22-12-2023 00:32
General
-
Target
37ee84f9933d943000195e804b3b7b75.exe
-
Size
4.1MB
-
MD5
37ee84f9933d943000195e804b3b7b75
-
SHA1
738f4e23ce5dd5c2c08de9cdb9ca99c0e4db90f5
-
SHA256
c6d19a50de0ff5674c48106227234f3e9d5231e97a79cf51dd137042b7444ba5
-
SHA512
fdb6f22c1adf37a6e6d11419c964859602f1db8ce3dcb2ec887570e168d47975a74b5a16e8af5da11d4de54e071e308a950ef3908def2f0612de3ac0b6fd73f2
-
SSDEEP
98304:l8Cirq4EmiHjDhIKuPU5Du+f+8Q4LuIa:lUrqzjDhOkGCTa
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\37ee84f9933d943000195e804b3b7b75.exe"C:\Users\Admin\AppData\Local\Temp\37ee84f9933d943000195e804b3b7b75.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0k1kgvcf\0k1kgvcf.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AF1.tmp" "c:\Users\Admin\AppData\Local\Temp\0k1kgvcf\CSCB47FA57864144837995353C42B7EFA8C.TMP"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Sets DLL path for service in the registry
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService1⤵
-
C:\Windows\SysWOW64\net.exenet start TermService1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr1⤵
-
C:\Windows\SysWOW64\net.exenet start rdpdr1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5d39ab8212383b95d2b7200194c21d54a
SHA11eee79fa40f2e1b85f8e242b38f0e6a5a09e574b
SHA2567a326e08939c027c352237a74608892bd7ef69114c079ee45dc2e7a87d42414e
SHA5126e30e6b6cf927eb01533394b99433c2263f1ce0f3bf7fbec0e79a0ee5f764422d9792fb11e834a4ee7e44f60f989327c6dacd955961f6da085cdc0b121980309
-
Filesize
1KB
MD5d2b1cd30ee4fb96d9d654b11c042aea5
SHA1a50fa521e5485c8b341e7c558c14517ad12ec0b8
SHA256d83d5ac2a491ba8559cc415d7b2ca2c7b08c39d7c21472f66f5f28c3dd490393
SHA51209af8767c4d4499f852f61ff4d24f06804ba870754e24a1e2ae557a793793637b539b7961bd2913ec8dc9ec490553ea66108a03ee9953efc915ca9140d7155eb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
101KB
MD51e03ef5bd509e9914e76ed214f4bc01d
SHA15535f7fc77fc252bdf8e494127ad9379776ffb31
SHA25691695da5dc9af2b5faa087d7fba2e2665b724e3f5d03955d58d538d43e74f071
SHA512dea2ff8186c90335a8faf5dd8fc943d24348f30c9cf312f653f1760b9afa2ea46b76474efaac077592ba4439e6fe4a68dea418ed51b451f667c5585cdeeb7e28
-
Filesize
1KB
MD528d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
Filesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
Filesize
424B
MD59f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
Filesize
369B
MD50c48310200277d8e4ccf511a599f6cf8
SHA14ce32c39a6ff04819c782830c256980a191c7690
SHA25602efb87fd033cc07d502913e6908839dccc871d48f5ab1a203525121983377a4
SHA512ac91af18736681ba2b547649702a981771921581c7848e17cdd6e614c8499a44afe0211a9247a0cfd343784f8193381a04013828657190883828a302308b148a
-
Filesize
652B
MD5fa54730d53c7475de02049175099128b
SHA10b8fb74135ed051360a1bda61a0dc015a5b04f7e
SHA2567fa063a77515ea9ababa4bbe34a3842d6a3b68b43fe474779446de60921d60c5
SHA512988ad2e531f0260e92b59d257e84672aaa197cb7c5857ddb863badd99a3d646b6740310027e37e66d0bdd62719a2b8b4e0a2b2489d574610646a3457f6e15330
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
56KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
652KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
4.1MB
-
Filesize
408KB
-
Filesize
4.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4.0MB
-
Filesize
64KB
-
Filesize
4.0MB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
33.2MB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
4.1MB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
176KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB