Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
19/09/2022, 00:32
General
-
Target
14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe
-
Size
1.7MB
-
MD5
dc2346977ef0abae5a018441719483c4
-
SHA1
e9c1c0f4a743452b723be4b1417711119409e8ee
-
SHA256
14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d
-
SHA512
d69b38a53ae26c063558a47d2a4f453cfbe80d4bc101e5768607236693de28d04e9df6ca2d7b77c6f657b998f12d526f4d283696f026017179a15e110c02a74d
-
SSDEEP
24576:w1mtxqtHYm34wn11A01oMCS2LNSAuF5Aj99A36rFx5U2876MtGdOq04dJv5xN:+mLq2mPnfhoR0bSbBZ3i76MwdTdJv
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
cybergate
2.6
remote
virus-xp.no-ip.org:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
svchost.exe
-
install_dir
temp
-
install_file
sysgui.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Please try again later.
-
message_box_title
Error
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Executes dropped EXE 8 IoCs
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 29 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 49 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe"C:\Users\Admin\AppData\Local\Temp\14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.exe"2⤵
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe"C:\Users\Admin\AppData\Local\Temp\14a157a7501131aec8159c8ef2d8dc3d05c7e8149a6ebc3a67c061603df8c92d.0.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Deletes itself
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
\??\c:\shell.exec:\shell.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\shell.exec:\shell.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\shell.exe"c:\\shell.exe"5⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe6⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
\??\c:\shell.exe"c:\shell.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\temp\sysgui.exe"C:\Windows\system32\temp\sysgui.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\temp\sysgui.exeC:\Windows\SysWOW64\temp\sysgui.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\temp\sysgui.exe"C:\Windows\SysWOW64\temp\sysgui.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD5c27e63779e0f910401e42ecf864fdba2
SHA134fdc524b985291cea22741a30a3ba6424c50d3e
SHA256dd91db8baa37691f6dc167cd9d348c57acce66595867d743798e05b5fb85743b
SHA512472e30dd0706610241aeb2487e9827fcc8a0a1e24472a16305b5a0baa7ec87212562f711c77100ee1b6a693ade84cf0b2e936ffde7f7dd3416047075532f5c3c
-
Filesize
156KB
MD5c27e63779e0f910401e42ecf864fdba2
SHA134fdc524b985291cea22741a30a3ba6424c50d3e
SHA256dd91db8baa37691f6dc167cd9d348c57acce66595867d743798e05b5fb85743b
SHA512472e30dd0706610241aeb2487e9827fcc8a0a1e24472a16305b5a0baa7ec87212562f711c77100ee1b6a693ade84cf0b2e936ffde7f7dd3416047075532f5c3c
-
Filesize
240KB
MD5a78a7a8cc6b685055bb32698e114f082
SHA1f795bec07bc19f4a4aa9137c8549bd28e7701c30
SHA256c6b9a00079ac9a16c7e63f3236209b1f295845582de528e34ad93a31455e382d
SHA512bd4cc6440575c859860c108fb46b6f834efc4f8525a18f742b25ec83e499d343b04453007ef29adb797c38079a62a23736b7a869a35dcbf8a1782924957088cb
-
Filesize
741B
MD525aa9bb549ecc7bb6100f8d179452508
SHA1a3bea5e2138d1558109fa26d46e2f79c3a20228f
SHA256df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c
SHA51212e26fa999faf2ca017a49987be5c668930495c26c789e19863097e5b0555add90ecdbb397521436acb47d7f2dfd5029b9b4beed16877ac7df854b3321642e37
-
Filesize
255B
MD5f178e85041b77c56b3bc012df051aac2
SHA19bf1c26c904c518d105fbe9bf86d3fd39da42e58
SHA256cd868493145f8c555350a93434bacd8bdc9e2d027bb03c596e8d2704c58b94b5
SHA512279c96859aab4279af800256442bffefca7184990e95ba6234650f712019b67300babbc44f329131596787a3f607548b95af6447f5a285a237e49ff6775126db
-
Filesize
1.4MB
MD5ada353fb0c873569869c110c4087a7a0
SHA1603d576f0828d25eedc993462be1a425f4403988
SHA2560a07e95d69269ad6191a74161fbe84f1adc07781d5616cbb0c8acc73d624da66
SHA51290bec0ceaf63fb7d812a82fbc48b941036445fd0776d8332437a415b47c4f3ca4846abc2cb15ce2de4a0f51d887d0f0e01d908377faf74b43a9cf1683513d48f
-
Filesize
1.4MB
MD5ada353fb0c873569869c110c4087a7a0
SHA1603d576f0828d25eedc993462be1a425f4403988
SHA2560a07e95d69269ad6191a74161fbe84f1adc07781d5616cbb0c8acc73d624da66
SHA51290bec0ceaf63fb7d812a82fbc48b941036445fd0776d8332437a415b47c4f3ca4846abc2cb15ce2de4a0f51d887d0f0e01d908377faf74b43a9cf1683513d48f
-
Filesize
1.4MB
MD5ada353fb0c873569869c110c4087a7a0
SHA1603d576f0828d25eedc993462be1a425f4403988
SHA2560a07e95d69269ad6191a74161fbe84f1adc07781d5616cbb0c8acc73d624da66
SHA51290bec0ceaf63fb7d812a82fbc48b941036445fd0776d8332437a415b47c4f3ca4846abc2cb15ce2de4a0f51d887d0f0e01d908377faf74b43a9cf1683513d48f
-
Filesize
1.4MB
MD5ada353fb0c873569869c110c4087a7a0
SHA1603d576f0828d25eedc993462be1a425f4403988
SHA2560a07e95d69269ad6191a74161fbe84f1adc07781d5616cbb0c8acc73d624da66
SHA51290bec0ceaf63fb7d812a82fbc48b941036445fd0776d8332437a415b47c4f3ca4846abc2cb15ce2de4a0f51d887d0f0e01d908377faf74b43a9cf1683513d48f
-
Filesize
1.1MB
MD53108566f15c3d2aec065553e2b1a160b
SHA163aee7932610ecb0ebeb8de2945a46a755583b83
SHA2563d40c56e50577d0c367495bb41854063ed17193820d373bb4468818737c80e37
SHA512d9f42049777bced87297e92864fa12a51d07450b99547d2e6c98ca45e31e4b405218abfcd54613d237297e206f1b7a37581f39e7db928b9003ca0944a7ae2ee7
-
Filesize
121B
MD5e50fa5c1126e3d8ac3394b803ac7fcf2
SHA129dcd610a4c8c2fbf07efa5be1b82d08b704faf7
SHA256fa63c10da12bd2c3d8fa55b43f8967717f0c77cfe6cb2d68c7449ebb8c827566
SHA512c9b05a8454f30917899bbb93c484968f782168eda7dc0a535eb929b3f8dc22e8b1634bfd431addbf6e13c818d0399d4e6ecd4e57308c4a2c659dcc0e08524bcc
-
Filesize
1.4MB
MD5ada353fb0c873569869c110c4087a7a0
SHA1603d576f0828d25eedc993462be1a425f4403988
SHA2560a07e95d69269ad6191a74161fbe84f1adc07781d5616cbb0c8acc73d624da66
SHA51290bec0ceaf63fb7d812a82fbc48b941036445fd0776d8332437a415b47c4f3ca4846abc2cb15ce2de4a0f51d887d0f0e01d908377faf74b43a9cf1683513d48f
-
Filesize
1.4MB
MD5ada353fb0c873569869c110c4087a7a0
SHA1603d576f0828d25eedc993462be1a425f4403988
SHA2560a07e95d69269ad6191a74161fbe84f1adc07781d5616cbb0c8acc73d624da66
SHA51290bec0ceaf63fb7d812a82fbc48b941036445fd0776d8332437a415b47c4f3ca4846abc2cb15ce2de4a0f51d887d0f0e01d908377faf74b43a9cf1683513d48f
-
Filesize
1.4MB
MD5ada353fb0c873569869c110c4087a7a0
SHA1603d576f0828d25eedc993462be1a425f4403988
SHA2560a07e95d69269ad6191a74161fbe84f1adc07781d5616cbb0c8acc73d624da66
SHA51290bec0ceaf63fb7d812a82fbc48b941036445fd0776d8332437a415b47c4f3ca4846abc2cb15ce2de4a0f51d887d0f0e01d908377faf74b43a9cf1683513d48f
-
Filesize
1.4MB
MD5ada353fb0c873569869c110c4087a7a0
SHA1603d576f0828d25eedc993462be1a425f4403988
SHA2560a07e95d69269ad6191a74161fbe84f1adc07781d5616cbb0c8acc73d624da66
SHA51290bec0ceaf63fb7d812a82fbc48b941036445fd0776d8332437a415b47c4f3ca4846abc2cb15ce2de4a0f51d887d0f0e01d908377faf74b43a9cf1683513d48f
-
Filesize
1.4MB
MD5ada353fb0c873569869c110c4087a7a0
SHA1603d576f0828d25eedc993462be1a425f4403988
SHA2560a07e95d69269ad6191a74161fbe84f1adc07781d5616cbb0c8acc73d624da66
SHA51290bec0ceaf63fb7d812a82fbc48b941036445fd0776d8332437a415b47c4f3ca4846abc2cb15ce2de4a0f51d887d0f0e01d908377faf74b43a9cf1683513d48f
-
Filesize
156KB
MD5c27e63779e0f910401e42ecf864fdba2
SHA134fdc524b985291cea22741a30a3ba6424c50d3e
SHA256dd91db8baa37691f6dc167cd9d348c57acce66595867d743798e05b5fb85743b
SHA512472e30dd0706610241aeb2487e9827fcc8a0a1e24472a16305b5a0baa7ec87212562f711c77100ee1b6a693ade84cf0b2e936ffde7f7dd3416047075532f5c3c
-
Filesize
156KB
MD5c27e63779e0f910401e42ecf864fdba2
SHA134fdc524b985291cea22741a30a3ba6424c50d3e
SHA256dd91db8baa37691f6dc167cd9d348c57acce66595867d743798e05b5fb85743b
SHA512472e30dd0706610241aeb2487e9827fcc8a0a1e24472a16305b5a0baa7ec87212562f711c77100ee1b6a693ade84cf0b2e936ffde7f7dd3416047075532f5c3c
-
Filesize
1.4MB
MD5ada353fb0c873569869c110c4087a7a0
SHA1603d576f0828d25eedc993462be1a425f4403988
SHA2560a07e95d69269ad6191a74161fbe84f1adc07781d5616cbb0c8acc73d624da66
SHA51290bec0ceaf63fb7d812a82fbc48b941036445fd0776d8332437a415b47c4f3ca4846abc2cb15ce2de4a0f51d887d0f0e01d908377faf74b43a9cf1683513d48f
-
Filesize
1.4MB
MD5ada353fb0c873569869c110c4087a7a0
SHA1603d576f0828d25eedc993462be1a425f4403988
SHA2560a07e95d69269ad6191a74161fbe84f1adc07781d5616cbb0c8acc73d624da66
SHA51290bec0ceaf63fb7d812a82fbc48b941036445fd0776d8332437a415b47c4f3ca4846abc2cb15ce2de4a0f51d887d0f0e01d908377faf74b43a9cf1683513d48f
-
Filesize
52KB
-
Filesize
392KB
-
Filesize
16.6MB
-
Filesize
52KB
-
Filesize
392KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
52KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
8KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
8KB
-
Filesize
1.4MB
-
Filesize
392KB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
392KB
-
Filesize
356KB
-
Filesize
392KB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
392KB
-
Filesize
52KB
-
Filesize
160KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
8KB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
52KB
-
Filesize
8KB
-
Filesize
52KB
-
Filesize
1.4MB
-
Filesize
52KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
160KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
16.6MB
-
Filesize
160KB
-
Filesize
8KB
-
Filesize
16.6MB