Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

44c0065f11...60.exe

windows7-x64

10

44c0065f11...60.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    73s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2022, 16:52 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe

  • Size

    667KB

  • MD5

    300e3f51957787fe3a0a27572a80ad20

  • SHA1

    b2ddf592123cba982e04199f759a902f61f40b44

  • SHA256

    44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460

  • SHA512

    27170c020b651a172707b0be18b0fc875a294dca53a9e86c464bf115f629cab9caa13bbd58ba4636103e5164628050d89171e5697e125d5269f400ca622d1b12

  • SSDEEP

    6144:uRC0LS6V23ltSpcW3Go+jE7RkCrphFbaSKh8KBQexaZm:uRC0OqAnSCW29ARkghNvGYeoZm

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\backgroundTaskHost.exe
    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
    1⤵
      PID:4688
    • C:\Users\Admin\AppData\Local\Temp\44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe
      "C:\Users\Admin\AppData\Local\Temp\44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460.exe"
      1⤵
      • Modifies firewall policy service
      • UAC bypass
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Windows security modification
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1932
      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4952
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          3⤵
            PID:1060
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4004
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4004 CREDAT:17410 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:260
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:5116
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5116 CREDAT:17410 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:316
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:1308
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:3708
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:3508
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
                PID:3432
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:3368
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                  1⤵
                    PID:3264
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                    1⤵
                      PID:2952
                    • C:\Windows\Explorer.EXE
                      C:\Windows\Explorer.EXE
                      1⤵
                        PID:2204
                      • C:\Windows\system32\taskhostw.exe
                        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                        1⤵
                          PID:2660
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                          1⤵
                            PID:2384
                          • C:\Windows\system32\sihost.exe
                            sihost.exe
                            1⤵
                              PID:2368
                            • C:\Windows\system32\dwm.exe
                              "dwm.exe"
                              1⤵
                                PID:1012
                              • C:\Windows\system32\fontdrvhost.exe
                                "fontdrvhost.exe"
                                1⤵
                                  PID:780
                                • C:\Windows\system32\fontdrvhost.exe
                                  "fontdrvhost.exe"
                                  1⤵
                                    PID:772

                                  Network

                                  • flag-us
                                    DNS
                                    api.bing.com
                                    iexplore.exe
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    api.bing.com
                                    IN A
                                    Response
                                    api.bing.com
                                    IN CNAME
                                    api-bing-com.e-0001.e-msedge.net
                                    api-bing-com.e-0001.e-msedge.net
                                    IN CNAME
                                    e-0001.e-msedge.net
                                    e-0001.e-msedge.net
                                    IN A
                                    13.107.5.80
                                  • 93.184.220.29:80
                                    46 B
                                     40 B
                                     1
                                    1
                                  • 52.168.117.170:443
                                    322 B
                                     7
                                  • 8.252.51.254:80
                                    322 B
                                     7
                                  • 8.253.183.120:80
                                    322 B
                                     7
                                  • 104.80.225.205:443
                                    RuntimeBroker.exe
                                    322 B
                                     7
                                  • 209.197.3.8:80
                                    322 B
                                     7
                                  • 204.79.197.200:443
                                    ieonline.microsoft.com
                                    tls, http2
                                    iexplore.exe
                                    1.2kB
                                     8.1kB
                                     15
                                    14
                                  • 8.8.8.8:53
                                    api.bing.com
                                    dns
                                    iexplore.exe
                                    58 B
                                     134 B
                                     1
                                    1

                                    DNS Request

                                    api.bing.com

                                    DNS Response

                                    13.107.5.80

                                  MITRE ATT&CK Enterprise v6

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                    Filesize

                                    667KB

                                    MD5

                                    300e3f51957787fe3a0a27572a80ad20

                                    SHA1

                                    b2ddf592123cba982e04199f759a902f61f40b44

                                    SHA256

                                    44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460

                                    SHA512

                                    27170c020b651a172707b0be18b0fc875a294dca53a9e86c464bf115f629cab9caa13bbd58ba4636103e5164628050d89171e5697e125d5269f400ca622d1b12

                                    Download Submit

                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                    Filesize

                                    667KB

                                    MD5

                                    300e3f51957787fe3a0a27572a80ad20

                                    SHA1

                                    b2ddf592123cba982e04199f759a902f61f40b44

                                    SHA256

                                    44c0065f119ed6b9218102aba0ac2d030348dac2d4e90c2b768f21ebdd467460

                                    SHA512

                                    27170c020b651a172707b0be18b0fc875a294dca53a9e86c464bf115f629cab9caa13bbd58ba4636103e5164628050d89171e5697e125d5269f400ca622d1b12

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                    Filesize

                                    471B

                                    MD5

                                    fd70739fca5345a28f924f9102ae10ee

                                    SHA1

                                    6ce3f92183544f3bf52cb76364591589cb940a19

                                    SHA256

                                    f238404cc643efddef8ff430f128cdc8ec1513969eaac24b5e5bce81248a91e7

                                    SHA512

                                    a787d3a2bceeaed2f2a29f357df6ae17d5b9f66a3c561550d5f83c308ad26a1ddf876488151ff5e51ce93bfb9d0c7b8ca812d595e8d3ebdda7d805707ac1b278

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                    Filesize

                                    471B

                                    MD5

                                    fd70739fca5345a28f924f9102ae10ee

                                    SHA1

                                    6ce3f92183544f3bf52cb76364591589cb940a19

                                    SHA256

                                    f238404cc643efddef8ff430f128cdc8ec1513969eaac24b5e5bce81248a91e7

                                    SHA512

                                    a787d3a2bceeaed2f2a29f357df6ae17d5b9f66a3c561550d5f83c308ad26a1ddf876488151ff5e51ce93bfb9d0c7b8ca812d595e8d3ebdda7d805707ac1b278

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                    Filesize

                                    404B

                                    MD5

                                    47a5c78770e7ed0d11d89cb045cc7303

                                    SHA1

                                    161a8e501ffa447954b1e4d8b1161129aa47002b

                                    SHA256

                                    b7d85489e67ac7c9ca467b05e738db0e15474b791cb8c2197c75cb8fde29b4ac

                                    SHA512

                                    b8bcbacdd7132580e5e0e1c6e7db9512ba16cd5650b20289703c5b01b70d2dc597882c7617e200849f9c98aff312068d6f5fec7fb2f34d92c1ffe0f2942c5b63

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                    Filesize

                                    404B

                                    MD5

                                    423e86aec034ce55bc2bde9f8de664ff

                                    SHA1

                                    7016bc3685bfd9796606065a4545ab3d3a80ed08

                                    SHA256

                                    91fde2f7a4afaacaf2a291fe9ae06844d57dfffb71c7ec0857acfa901d14bfb6

                                    SHA512

                                    bb6359221b9ad4146c5193b25956029dbe4d1d55c826ee9174eff30f78aaefb125d21e2b9eaf9610c65a9d54fab2fcdac529fda03f77726c49e4a7dd2932b167

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                    Filesize

                                    404B

                                    MD5

                                    423e86aec034ce55bc2bde9f8de664ff

                                    SHA1

                                    7016bc3685bfd9796606065a4545ab3d3a80ed08

                                    SHA256

                                    91fde2f7a4afaacaf2a291fe9ae06844d57dfffb71c7ec0857acfa901d14bfb6

                                    SHA512

                                    bb6359221b9ad4146c5193b25956029dbe4d1d55c826ee9174eff30f78aaefb125d21e2b9eaf9610c65a9d54fab2fcdac529fda03f77726c49e4a7dd2932b167

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C9D79E87-42B4-11ED-89AC-F6DE28FD18F9}.dat
                                    Filesize

                                    5KB

                                    MD5

                                    b926d14c2e151fe020d69e241c8a4aa5

                                    SHA1

                                    8a0f51b7bd5f1aac402c9a1ad1f687d94340a7d0

                                    SHA256

                                    f8fab701d5a2f84c72c65fbb759247872029c3dbd8043f9588b8c4724b618f31

                                    SHA512

                                    d0efb876fd0e1c2248d7a07a6549e71b6f6a38e43445d5ad6e1ed4b2792d103c72dcc87e80b5651f4f3840964a11e8789b98f8096ba6a3093529f2d8f63d777e

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C9DEC678-42B4-11ED-89AC-F6DE28FD18F9}.dat
                                    Filesize

                                    5KB

                                    MD5

                                    7f66d2d2f1d27fba217774b098797cc5

                                    SHA1

                                    6059cf3c36a0e77c06ab079c644b2e3b55b41d48

                                    SHA256

                                    b5424e88db278d1d9263e32d51954d8c831513ca1f50dd0a4d52b6dc2fc94e53

                                    SHA512

                                    fa196141fa61667eb7c125c9d3557a23f696ccf4806fe0e0467c3a8ac19c86ef5ea03edc6150c6577cf61eadd2862432143a63c601f29b11ca81c077c26493e0

                                    Download Submit

                                  • memory/1932-141-0x0000000000400000-0x0000000000421000-memory.dmp

                                    Filesize

                                    132KB

                                    Download

                                  • memory/1932-145-0x0000000003860000-0x00000000048EE000-memory.dmp

                                    Filesize

                                    16.6MB

                                    Download

                                  • memory/1932-135-0x0000000000400000-0x0000000000421000-memory.dmp

                                    Filesize

                                    132KB

                                    Download

                                  • memory/1932-136-0x0000000000400000-0x0000000000421000-memory.dmp

                                    Filesize

                                    132KB

                                    Download

                                  • memory/1932-140-0x0000000000400000-0x00000000004B2000-memory.dmp

                                    Filesize

                                    712KB

                                    Download

                                  • memory/1932-132-0x0000000003860000-0x00000000048EE000-memory.dmp

                                    Filesize

                                    16.6MB

                                    Download

                                  • memory/1932-155-0x0000000003860000-0x00000000048EE000-memory.dmp

                                    Filesize

                                    16.6MB

                                    Download

                                  • memory/4952-150-0x0000000000400000-0x00000000004B2000-memory.dmp

                                    Filesize

                                    712KB

                                    Download

                                  • memory/4952-156-0x0000000000400000-0x0000000000421000-memory.dmp

                                    Filesize

                                    132KB

                                    Download

                                  • memory/4952-151-0x0000000000400000-0x00000000004B2000-memory.dmp

                                    Filesize

                                    712KB

                                    Download

                                  • memory/4952-152-0x0000000000400000-0x00000000004B2000-memory.dmp

                                    Filesize

                                    712KB

                                    Download

                                  • memory/4952-147-0x0000000000400000-0x00000000004B2000-memory.dmp

                                    Filesize

                                    712KB

                                    Download

                                  We care about your privacy.

                                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.