Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

f288ecfbe0...4f.exe

windows7-x64

10

f288ecfbe0...4f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 11:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe

  • Size

    494KB

  • MD5

    00b4f16c961d8433284324d25b572800

  • SHA1

    370d79c091997e0ac8ecdfd290c44f1dce79aa35

  • SHA256

    f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f

  • SHA512

    3a7c4e80124e8141b5f8825c276f87b7ae82fa64aa68d2d5c665ee0535ff962eafb519ee0bee2c5ce053b390bc7b488d5343cec285de6ba4523a1d80edf74e80

  • SSDEEP

    12288:Gg3M9TO1Fu4+1nkjwCO93AQ/ESLIm5kMK0xTGEhuWEoIyiQ5hx:Gg3M01HRw39pESLI27xTpUWEoIyiQPx

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 5 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1192
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1324
        • C:\Users\Admin\AppData\Local\Temp\f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe
          "C:\Users\Admin\AppData\Local\Temp\f288ecfbe0efa47d9ee02a1077ce84d565bd99432ba3fbd1a9770013d49e9d4f.exe"
          2⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Loads dropped DLL
          • Windows security modification
          • Checks whether UAC is enabled
          • Enumerates connected drives
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1980
          • C:\ProgramData\DatacardService\DCService.exe
            "C:\ProgramData\DatacardService\DCService.exe" -install
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1048
            • C:\ProgramData\DatacardService\HWDeviceService64.exe
              "C:\ProgramData\DatacardService\HWDeviceService64.exe" -install
              4⤵
              • Executes dropped EXE
              PID:1256
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:1272
        • C:\ProgramData\DatacardService\HWDeviceService64.exe
          "C:\ProgramData\DatacardService\HWDeviceService64.exe" -/service
          1⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1844
          • C:\ProgramData\DatacardService\DCSHelper.exe
            "C:\ProgramData\DatacardService\DCSHelper.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1828

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\DataCardService\DCSHelper.exe
          Filesize

          230KB

          MD5

          349ab4f70e2ac44970894e7f03e1576e

          SHA1

          5f27448dd78eee8e3c583b57fcfe0969281f007f

          SHA256

          584d84ad7be834b72e3c4548b3e1e25984ccc5f9eaa2245c44cb6bfc63a9d716

          SHA512

          382bf892a97d32bf5c4f30086d6c36ee59ffd0c428da105b821660373bfbc05b1a089717f9c76d1c76fbbc795fdfb68fda203a12cc1c6f17a2f262c838078021

          Download Submit

        • C:\ProgramData\DataCardService\DCService.exe
          Filesize

          139KB

          MD5

          903930192dcd755910ca5f8e188cf10f

          SHA1

          8f52fe210e94f1299f76f5bc3cbe6340c77b5e91

          SHA256

          1746a56d9b678a4b7c4b74db3a53bd35e0c9e0d35b0f2979956785dae75a57b0

          SHA512

          472b098be907580dc9f6bcd31ba5ad44bb0b537bf1878dc89374ae2c2abb28312b7d8b87dc9389acce296ff5bf97c7dc6666483e836e7029e13398355927ba8b

          Download Submit

        • C:\ProgramData\DataCardService\HWDeviceService64.exe
          Filesize

          338KB

          MD5

          e90da42b87d684debfb73b38a718a006

          SHA1

          f2eb9b7b20f8f0b88578bc8fda8326f12829f8d8

          SHA256

          bb18c63c1982f5cb99c9b65d2b801e8c1909ad7cd0171326dc0015d6b781b451

          SHA512

          69a495c1be253734b1a0958047b70fe93d0b2319c4599420ff84806e17b16e4fe1c9b2f6db69494f14dfe45c9323758670df56215b8695cf4effb9cf0ee638f9

          Download Submit

        • C:\ProgramData\DataCardService\HWDeviceService64.exe
          Filesize

          338KB

          MD5

          e90da42b87d684debfb73b38a718a006

          SHA1

          f2eb9b7b20f8f0b88578bc8fda8326f12829f8d8

          SHA256

          bb18c63c1982f5cb99c9b65d2b801e8c1909ad7cd0171326dc0015d6b781b451

          SHA512

          69a495c1be253734b1a0958047b70fe93d0b2319c4599420ff84806e17b16e4fe1c9b2f6db69494f14dfe45c9323758670df56215b8695cf4effb9cf0ee638f9

          Download Submit

        • C:\ProgramData\DatacardService\DCSHelper.exe
          Filesize

          230KB

          MD5

          349ab4f70e2ac44970894e7f03e1576e

          SHA1

          5f27448dd78eee8e3c583b57fcfe0969281f007f

          SHA256

          584d84ad7be834b72e3c4548b3e1e25984ccc5f9eaa2245c44cb6bfc63a9d716

          SHA512

          382bf892a97d32bf5c4f30086d6c36ee59ffd0c428da105b821660373bfbc05b1a089717f9c76d1c76fbbc795fdfb68fda203a12cc1c6f17a2f262c838078021

          Download Submit

        • C:\ProgramData\DatacardService\DCService.exe
          Filesize

          139KB

          MD5

          903930192dcd755910ca5f8e188cf10f

          SHA1

          8f52fe210e94f1299f76f5bc3cbe6340c77b5e91

          SHA256

          1746a56d9b678a4b7c4b74db3a53bd35e0c9e0d35b0f2979956785dae75a57b0

          SHA512

          472b098be907580dc9f6bcd31ba5ad44bb0b537bf1878dc89374ae2c2abb28312b7d8b87dc9389acce296ff5bf97c7dc6666483e836e7029e13398355927ba8b

          Download Submit

        • C:\ProgramData\DatacardService\HWDeviceService64.exe
          Filesize

          338KB

          MD5

          e90da42b87d684debfb73b38a718a006

          SHA1

          f2eb9b7b20f8f0b88578bc8fda8326f12829f8d8

          SHA256

          bb18c63c1982f5cb99c9b65d2b801e8c1909ad7cd0171326dc0015d6b781b451

          SHA512

          69a495c1be253734b1a0958047b70fe93d0b2319c4599420ff84806e17b16e4fe1c9b2f6db69494f14dfe45c9323758670df56215b8695cf4effb9cf0ee638f9

          Download Submit

        • \ProgramData\DataCardService\DCService.exe
          Filesize

          139KB

          MD5

          903930192dcd755910ca5f8e188cf10f

          SHA1

          8f52fe210e94f1299f76f5bc3cbe6340c77b5e91

          SHA256

          1746a56d9b678a4b7c4b74db3a53bd35e0c9e0d35b0f2979956785dae75a57b0

          SHA512

          472b098be907580dc9f6bcd31ba5ad44bb0b537bf1878dc89374ae2c2abb28312b7d8b87dc9389acce296ff5bf97c7dc6666483e836e7029e13398355927ba8b

          Download Submit

        • \ProgramData\DataCardService\DCService.exe
          Filesize

          139KB

          MD5

          903930192dcd755910ca5f8e188cf10f

          SHA1

          8f52fe210e94f1299f76f5bc3cbe6340c77b5e91

          SHA256

          1746a56d9b678a4b7c4b74db3a53bd35e0c9e0d35b0f2979956785dae75a57b0

          SHA512

          472b098be907580dc9f6bcd31ba5ad44bb0b537bf1878dc89374ae2c2abb28312b7d8b87dc9389acce296ff5bf97c7dc6666483e836e7029e13398355927ba8b

          Download Submit

        • \ProgramData\DataCardService\DCService.exe
          Filesize

          139KB

          MD5

          903930192dcd755910ca5f8e188cf10f

          SHA1

          8f52fe210e94f1299f76f5bc3cbe6340c77b5e91

          SHA256

          1746a56d9b678a4b7c4b74db3a53bd35e0c9e0d35b0f2979956785dae75a57b0

          SHA512

          472b098be907580dc9f6bcd31ba5ad44bb0b537bf1878dc89374ae2c2abb28312b7d8b87dc9389acce296ff5bf97c7dc6666483e836e7029e13398355927ba8b

          Download Submit

        • \ProgramData\DataCardService\HWDeviceService64.exe
          Filesize

          338KB

          MD5

          e90da42b87d684debfb73b38a718a006

          SHA1

          f2eb9b7b20f8f0b88578bc8fda8326f12829f8d8

          SHA256

          bb18c63c1982f5cb99c9b65d2b801e8c1909ad7cd0171326dc0015d6b781b451

          SHA512

          69a495c1be253734b1a0958047b70fe93d0b2319c4599420ff84806e17b16e4fe1c9b2f6db69494f14dfe45c9323758670df56215b8695cf4effb9cf0ee638f9

          Download Submit

        • \ProgramData\DataCardService\HWDeviceService64.exe
          Filesize

          338KB

          MD5

          e90da42b87d684debfb73b38a718a006

          SHA1

          f2eb9b7b20f8f0b88578bc8fda8326f12829f8d8

          SHA256

          bb18c63c1982f5cb99c9b65d2b801e8c1909ad7cd0171326dc0015d6b781b451

          SHA512

          69a495c1be253734b1a0958047b70fe93d0b2319c4599420ff84806e17b16e4fe1c9b2f6db69494f14dfe45c9323758670df56215b8695cf4effb9cf0ee638f9

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsy41.tmp\System.dll
          Filesize

          11KB

          MD5

          c17103ae9072a06da581dec998343fc1

          SHA1

          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

          SHA256

          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

          SHA512

          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

          Download Submit

        • memory/1980-73-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/1980-72-0x0000000000840000-0x0000000000842000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1980-74-0x0000000000240000-0x000000000024D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/1980-59-0x0000000000330000-0x0000000000332000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1980-75-0x0000000002040000-0x00000000030CE000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/1980-58-0x0000000002040000-0x00000000030CE000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/1980-57-0x0000000000240000-0x0000000000282000-memory.dmp

          Filesize

          264KB

          Download

        • memory/1980-56-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/1980-55-0x0000000002040000-0x00000000030CE000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/1980-54-0x0000000075981000-0x0000000075983000-memory.dmp

          Filesize

          8KB

          Download