Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
22-12-2023 14:55
General
-
Target
cfde117b17c27f85169ad02256991c06.exe
-
Size
4.1MB
-
MD5
cfde117b17c27f85169ad02256991c06
-
SHA1
407b79248177f34d215c8ac56dc2e4f6ad2b2c54
-
SHA256
93da2c13d3708853fd6230ac659a4cbbe26593aa0f335ad3e62b262ac6876e62
-
SHA512
69d141e37fbf65d21b16cf81a5cac8d71b8ad746fc0c081578e552f004174ee99cfdf45b14511c6909f8b208f2a44176f284653071bb42553f301a9097b7fc54
-
SSDEEP
98304:LV5gByop3bAU4jgGgnbnB4/7mN/naip6NOrxzfc0Nmm7pFRt:Lu9rEjhCB4jI4Kmm7xt
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfde117b17c27f85169ad02256991c06.exe"C:\Users\Admin\AppData\Local\Temp\cfde117b17c27f85169ad02256991c06.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m0rqjzvp\m0rqjzvp.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB40E.tmp" "c:\Users\Admin\AppData\Local\Temp\m0rqjzvp\CSC3635D73791D7439BA8E983E848F82334.TMP"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Sets DLL path for service in the registry
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start rdpdr2⤵
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService1⤵
-
C:\Windows\SysWOW64\net.exenet start TermService1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5e2e6bbdcc5cb2b2a8e58e62380cbdeeb
SHA1fd3b0bbf8d08573d022e54ceb111e4dfe93ff752
SHA2562cf90543f0e785093db02f3ce60471d639ec8e5030a2ea0d70187ce55c248cf2
SHA51282ff827ccb3eb01f00713dfcf4d2ef8107c86d206698a366293bb723e36d9a20dba44c818d40e79824fd72c76987e71d69565a3079bccaaa0626d64a13014317
-
Filesize
1KB
MD5c84160fe48d9d19c2b2fe1395feeb590
SHA1f56e0f6e0de2f157f9aaf868476598f175098a2c
SHA256b54272bd130fb34fb8d297f8b8d60acfff4fe54fa0239a7a299e664e6a68b206
SHA512130fabae438a824ba3137ad2ebadca0351d09c8ac2cf93414491825ecde8521072d3bdf9a0a1dc776d7f9a162c6feea0ddbcd077fa9cd137e9dd31e82e6e66d6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
19KB
MD5668825e1e0784fa33f1d8c923b5d4775
SHA1070921b376829103441a542f36c3f2f31bd8fa98
SHA25638edf9157475baab4a6645876a8344548ca1f5c1fecfff19ffa9730077767d33
SHA512c5884af8a548376084d576c77d9d0ec80a7dd50ca75b8851feb37fa08099ca61e039bed8ce10697c074e1d017e411740f632d9a584f0b1f05ebd0c43b00034b4
-
Filesize
3KB
MD5a4e851147cdcac5338dcd01af26728c5
SHA142a366335d351616d31b1b6798ce97f609852105
SHA2565744779d056f79092c726305e0f5c753356c0d24d5d05457c58a0c21e863da98
SHA5126d4412a9d9fcb96cf077e204ae67b2923bffb5686c9dbddc424f10a91333618d1e18de258224f329be7c78a1a417da6f80bab2903406d62a16532381d1deb213
-
Filesize
1KB
MD528d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
Filesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
Filesize
652B
MD51859acf181606be9fd47b1e2981699aa
SHA11029efd2d36b9d4cba3fab0c001e8c5cab903572
SHA2560c6fa6ceabad80914e070b84c1cb5364f11b9f090fb61f01f105ee98d528ded5
SHA512645bd795573235db0a282c78983d576d607d42f811cfbccc5300ca94f04426b0062df2567760eb3ea5772816398b2da2cb82d8e6eed5d37cb5306f18c343a226
-
Filesize
424B
MD59f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
Filesize
369B
MD57843691e3603a9a5d89ce5a220d23ce0
SHA1774619d5b85c1c6d506d86917c4dc9e6c8c27648
SHA256805761930c4fff15576d4960538f5022d1e7c6e271b95b88a169be25eb2869d4
SHA512889774de113e182b6ba8dc014e4f24cfbee647204b5373d997db1a96f2ee5531b812616b793894a5ecb840df4c8d773099a35bcf3d104b7eadb5b2321475019d
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
64KB
-
Filesize
4.0MB
-
Filesize
33.2MB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
176KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
304KB