Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 18:13

General

  • Target

    ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe

  • Size

    320KB

  • MD5

    22e8a705f7e9fdc8336c43889a6602e0

  • SHA1

    91411aa04f10292c32c8c689d1b2805d967c8887

  • SHA256

    ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63

  • SHA512

    67771ee9c3fc5b5e4846571d1e033b4c44c0d586180b0f9c8e513baa262e69aebf33fde899b09fdbd6d73e27b0fb9f832af2e85f3b3fd20c00ccd8eb9b03bb92

  • SSDEEP

    3072:qvY6LipwcDWXVa7bMdY0vJhdzOkvTxIC5wwRvlV+Mb8RK0jLydi:npw5kstvT3hRX+UCKu2di

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 6 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • UAC bypass 3 TTPs 2 IoCs
  • Windows security bypass 2 TTPs 12 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables Task Manager via registry modification
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 14 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 27 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe
    "C:\Users\Admin\AppData\Local\Temp\ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63.exe"
    1⤵
    • Modifies firewall policy service
    • UAC bypass
    • Windows security bypass
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Windows security modification
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:980
    • C:\Windows\Help\schedl.exe
      C:\Windows\Help\schedl.exe
      2⤵
      • Modifies firewall policy service
      • UAC bypass
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Deletes itself
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1096
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1372
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1316
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1248
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
          1⤵
            PID:1584

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\Help\schedl.exe

            Filesize

            320KB

            MD5

            22e8a705f7e9fdc8336c43889a6602e0

            SHA1

            91411aa04f10292c32c8c689d1b2805d967c8887

            SHA256

            ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63

            SHA512

            67771ee9c3fc5b5e4846571d1e033b4c44c0d586180b0f9c8e513baa262e69aebf33fde899b09fdbd6d73e27b0fb9f832af2e85f3b3fd20c00ccd8eb9b03bb92

          • C:\Windows\Help\schedl.exe

            Filesize

            320KB

            MD5

            22e8a705f7e9fdc8336c43889a6602e0

            SHA1

            91411aa04f10292c32c8c689d1b2805d967c8887

            SHA256

            ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63

            SHA512

            67771ee9c3fc5b5e4846571d1e033b4c44c0d586180b0f9c8e513baa262e69aebf33fde899b09fdbd6d73e27b0fb9f832af2e85f3b3fd20c00ccd8eb9b03bb92

          • C:\Windows\SYSTEM.INI

            Filesize

            255B

            MD5

            134c7d97e87fb45ca638c2a6be7bf15f

            SHA1

            cb10044e24ec1406aec02520043d75a64deef7dc

            SHA256

            5ff552482ca64f62e3f0048c2971c84454af20d9de99150adf9725ab9171996c

            SHA512

            8d86921ec900041f48e81a5fb2b8b969945f9446ae3f58f37df841f5f3b645219a3371b78e7ae2f025cb650060908b97bf7ceaf3db6524fb3eb1dc558087dc5c

          • \Windows\Help\schedl.exe

            Filesize

            320KB

            MD5

            22e8a705f7e9fdc8336c43889a6602e0

            SHA1

            91411aa04f10292c32c8c689d1b2805d967c8887

            SHA256

            ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63

            SHA512

            67771ee9c3fc5b5e4846571d1e033b4c44c0d586180b0f9c8e513baa262e69aebf33fde899b09fdbd6d73e27b0fb9f832af2e85f3b3fd20c00ccd8eb9b03bb92

          • \Windows\Help\schedl.exe

            Filesize

            320KB

            MD5

            22e8a705f7e9fdc8336c43889a6602e0

            SHA1

            91411aa04f10292c32c8c689d1b2805d967c8887

            SHA256

            ad077eb443903b2d9d2671e16897fea9e2d93b4cd2d4408eb528d2f2b0c7ff63

            SHA512

            67771ee9c3fc5b5e4846571d1e033b4c44c0d586180b0f9c8e513baa262e69aebf33fde899b09fdbd6d73e27b0fb9f832af2e85f3b3fd20c00ccd8eb9b03bb92

          • memory/980-56-0x0000000000400000-0x0000000000450000-memory.dmp

            Filesize

            320KB

          • memory/980-57-0x0000000002900000-0x000000000398E000-memory.dmp

            Filesize

            16.6MB

          • memory/980-54-0x0000000075811000-0x0000000075813000-memory.dmp

            Filesize

            8KB

          • memory/980-65-0x0000000005460000-0x00000000054B0000-memory.dmp

            Filesize

            320KB

          • memory/980-64-0x00000000003E0000-0x00000000003E2000-memory.dmp

            Filesize

            8KB

          • memory/980-72-0x0000000002900000-0x000000000398E000-memory.dmp

            Filesize

            16.6MB

          • memory/980-70-0x0000000000400000-0x0000000000450000-memory.dmp

            Filesize

            320KB

          • memory/1096-69-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

          • memory/1096-74-0x0000000003820000-0x00000000048AE000-memory.dmp

            Filesize

            16.6MB

          • memory/1096-66-0x0000000000400000-0x0000000000450000-memory.dmp

            Filesize

            320KB

          • memory/1096-76-0x0000000003820000-0x00000000048AE000-memory.dmp

            Filesize

            16.6MB

          • memory/1096-77-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

          • memory/1096-78-0x0000000003820000-0x00000000048AE000-memory.dmp

            Filesize

            16.6MB

          • memory/1096-79-0x0000000000400000-0x0000000000450000-memory.dmp

            Filesize

            320KB