Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

ea9b39ca79...a6.exe

windows7-x64

3

ea9b39ca79...a6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    167s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 21:58 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea9b39ca79c203b294f13de7412576eb5a3facf50b8a6497199861d9538ba9a6.exe

  • Size

    164KB

  • MD5

    6ae218867eb9467591bb24c796c24f70

  • SHA1

    7e821f0f91ce1011bc5644970de2567118037967

  • SHA256

    ea9b39ca79c203b294f13de7412576eb5a3facf50b8a6497199861d9538ba9a6

  • SHA512

    b959882f2c3cd74df8cab822e1ab438d84750a332eb1a909cf1a50edec1db346414fd9a2e255725f38d0016251ce098e5c2fb60b21b39db3b1cf789a7dbb4b4d

  • SSDEEP

    3072:2NQKPWDyZI0hJltZrpRRyPZNtB9htSJAvdhp20onnel+FeQ97:2NSDyZISthpcX9SJSjInel2d7

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
      PID:328
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4748
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:4324
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:3748
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:3520
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
                PID:3436
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:3372
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                  1⤵
                    PID:3276
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                    1⤵
                      PID:3092
                    • C:\Windows\Explorer.EXE
                      C:\Windows\Explorer.EXE
                      1⤵
                        PID:3048
                        • C:\Users\Admin\AppData\Local\Temp\ea9b39ca79c203b294f13de7412576eb5a3facf50b8a6497199861d9538ba9a6.exe
                          "C:\Users\Admin\AppData\Local\Temp\ea9b39ca79c203b294f13de7412576eb5a3facf50b8a6497199861d9538ba9a6.exe"
                          2⤵
                          • UAC bypass
                          • Windows security bypass
                          • Disables RegEdit via registry modification
                          • Windows security modification
                          • Checks whether UAC is enabled
                          • Drops file in Program Files directory
                          • Drops file in Windows directory
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:4892
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall set opmode disable
                            3⤵
                            • Modifies Windows Firewall
                            PID:2296
                            • C:\Windows\System32\Conhost.exe
                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              4⤵
                                PID:2348
                            • C:\Windows\SysWOW64\NOTEPAD.EXE
                              "C:\Windows\system32\NOTEPAD.EXE"
                              3⤵
                                PID:3772
                              • C:\Windows\SysWOW64\NOTEPAD.EXE
                                "C:\Windows\system32\NOTEPAD.EXE"
                                3⤵
                                  PID:4256
                                • C:\Windows\SysWOW64\NOTEPAD.EXE
                                  "C:\Windows\system32\NOTEPAD.EXE"
                                  3⤵
                                    PID:1048
                                  • C:\Windows\SysWOW64\NOTEPAD.EXE
                                    "C:\Windows\system32\NOTEPAD.EXE"
                                    3⤵
                                      PID:4832
                                • C:\Windows\system32\taskhostw.exe
                                  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                  1⤵
                                    PID:2436
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                    1⤵
                                      PID:2340
                                    • C:\Windows\system32\sihost.exe
                                      sihost.exe
                                      1⤵
                                        PID:2324
                                      • C:\Windows\system32\fontdrvhost.exe
                                        "fontdrvhost.exe"
                                        1⤵
                                          PID:776
                                        • C:\Windows\system32\fontdrvhost.exe
                                          "fontdrvhost.exe"
                                          1⤵
                                            PID:772

                                          Network

                                            No results found
                                          • 20.42.73.24:443
                                            322 B
                                             7
                                          • 93.184.221.240:80
                                            322 B
                                             7
                                          • 93.184.221.240:80
                                            322 B
                                             7
                                          • 93.184.221.240:80
                                            322 B
                                             7
                                          • 104.80.224.44:443
                                            tls
                                            92 B
                                             111 B
                                             2
                                            2
                                          • 104.80.224.44:443
                                            tls
                                            92 B
                                             111 B
                                             2
                                            2
                                          No results found

                                          MITRE ATT&CK Enterprise v6

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • memory/1048-141-0x0000000000970000-0x0000000000987000-memory.dmp

                                            Filesize

                                            92KB

                                            Download

                                          • memory/3772-137-0x00000000007C0000-0x00000000007D7000-memory.dmp

                                            Filesize

                                            92KB

                                            Download

                                          • memory/4256-139-0x0000000000D80000-0x0000000000D97000-memory.dmp

                                            Filesize

                                            92KB

                                            Download

                                          • memory/4832-143-0x0000000000E80000-0x0000000000E97000-memory.dmp

                                            Filesize

                                            92KB

                                            Download

                                          • memory/4892-132-0x0000000001000000-0x0000000001026000-memory.dmp

                                            Filesize

                                            152KB

                                            Download

                                          • memory/4892-135-0x0000000002440000-0x0000000003472000-memory.dmp

                                            Filesize

                                            16.2MB

                                            Download

                                          • memory/4892-133-0x0000000002440000-0x0000000003472000-memory.dmp

                                            Filesize

                                            16.2MB

                                            Download

                                          • memory/4892-144-0x0000000001000000-0x0000000001026000-memory.dmp

                                            Filesize

                                            152KB

                                            Download

                                          We care about your privacy.

                                          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.