Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    45s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 22:03 UTC

General

  • Target

    97e95d9d5d7528ed469b899812583b384eb6a50631c98878f6b021f324b3af74.exe

  • Size

    237KB

  • MD5

    6c05891e0b0ef976bb7643028a6d1875

  • SHA1

    775f6f171c3ba271229e6ce9b1a62cd3426e4366

  • SHA256

    97e95d9d5d7528ed469b899812583b384eb6a50631c98878f6b021f324b3af74

  • SHA512

    cb1bb9eb0f4ea289a93b03ac03efee0c427acbd8c5250b64ce91a076bc68560da03621d40b7916594e4b40a9ac56b2e6f38c41867743dd5e5e2db13f6b94c766

  • SSDEEP

    3072:u7/64aQcwAAvVyhPLz+0r+jB3v1Jmzub67NHzPps94sb3B8BO1zgddAduUqi4xRZ:G6avstzL03v/vb6RHzyfzwdAF4YzC

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1228
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1328
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1400
          • C:\Users\Admin\AppData\Local\Temp\97e95d9d5d7528ed469b899812583b384eb6a50631c98878f6b021f324b3af74.exe
            "C:\Users\Admin\AppData\Local\Temp\97e95d9d5d7528ed469b899812583b384eb6a50631c98878f6b021f324b3af74.exe"
            2⤵
            • Modifies firewall policy service
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Windows security bypass
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1324

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1324-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

          Filesize

          8KB

        • memory/1324-55-0x0000000001CD0000-0x0000000002D5E000-memory.dmp

          Filesize

          16.6MB

        • memory/1324-56-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

        • memory/1324-57-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

        • memory/1324-58-0x0000000001CD0000-0x0000000002D5E000-memory.dmp

          Filesize

          16.6MB

        • memory/1324-59-0x0000000001CD0000-0x0000000002D5E000-memory.dmp

          Filesize

          16.6MB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.