Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

97e95d9d5d...74.exe

windows7-x64

10

97e95d9d5d...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    45s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 22:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97e95d9d5d7528ed469b899812583b384eb6a50631c98878f6b021f324b3af74.exe

  • Size

    237KB

  • MD5

    6c05891e0b0ef976bb7643028a6d1875

  • SHA1

    775f6f171c3ba271229e6ce9b1a62cd3426e4366

  • SHA256

    97e95d9d5d7528ed469b899812583b384eb6a50631c98878f6b021f324b3af74

  • SHA512

    cb1bb9eb0f4ea289a93b03ac03efee0c427acbd8c5250b64ce91a076bc68560da03621d40b7916594e4b40a9ac56b2e6f38c41867743dd5e5e2db13f6b94c766

  • SSDEEP

    3072:u7/64aQcwAAvVyhPLz+0r+jB3v1Jmzub67NHzPps94sb3B8BO1zgddAduUqi4xRZ:G6avstzL03v/vb6RHzyfzwdAF4YzC

Score
10/10
salitybackdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1228
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1328
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1400
          • C:\Users\Admin\AppData\Local\Temp\97e95d9d5d7528ed469b899812583b384eb6a50631c98878f6b021f324b3af74.exe
            "C:\Users\Admin\AppData\Local\Temp\97e95d9d5d7528ed469b899812583b384eb6a50631c98878f6b021f324b3af74.exe"
            2⤵
            • Modifies firewall policy service
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Windows security bypass
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1324

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1324-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1324-55-0x0000000001CD0000-0x0000000002D5E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/1324-56-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/1324-57-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/1324-58-0x0000000001CD0000-0x0000000002D5E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/1324-59-0x0000000001CD0000-0x0000000002D5E000-memory.dmp

          Filesize

          16.6MB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.