Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
10/10/2022, 23:37
General
-
Target
20096e3778f9927d74e03299b309225844b99647c4b5b48dc0e9b9e79de92c3f.exe
-
Size
1012KB
-
MD5
7cea36e7e2ae05dfa419c1b732459a36
-
SHA1
3dd746f0bd26f1dd7e13efe2bab2f1b83020606e
-
SHA256
20096e3778f9927d74e03299b309225844b99647c4b5b48dc0e9b9e79de92c3f
-
SHA512
c182e18ffd1fb9067acb24f37d6343db467506db0debab8e9fb76e9181959f3d1330cd7af836aedc0ed6f4f3efdf41f4d28ad1fbcede9323f7272404cc0510cd
-
SSDEEP
12288:nrg85zgRS99vH5C78pnMULnGTyW1hMW6/cNExJd2iCLdrt3C:nrrGS3H5CmW16+WYiIdw
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\20096e3778f9927d74e03299b309225844b99647c4b5b48dc0e9b9e79de92c3f.exe"C:\Users\Admin\AppData\Local\Temp\20096e3778f9927d74e03299b309225844b99647c4b5b48dc0e9b9e79de92c3f.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
1.0MB
-
Filesize
16.6MB