Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

57a68f0168...73.exe

windows7-x64

10

57a68f0168...73.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28/10/2022, 19:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    57a68f016854455c96c7d8dffda101920cf5435dc2eacf30bba395776c8c1573.exe

  • Size

    886KB

  • MD5

    078e2046ac7838975476a91321c13e00

  • SHA1

    97fb58c2870d2b50e1cf010bda810b51ccf58ff4

  • SHA256

    57a68f016854455c96c7d8dffda101920cf5435dc2eacf30bba395776c8c1573

  • SHA512

    27509d4270d48134ba4bd170590deea9bd15f47025544971a5fc82ff692ec73b7e7556b51069b04f62b2d42837a8ce67524b4db5a8cc8787ac1c09df45f16ff6

  • SSDEEP

    24576:JdKhrfuPmUghtFKviSKCe3UFvciuRWJc:JwUKKqXUKv

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1084
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1212
        • C:\Users\Admin\AppData\Local\Temp\57a68f016854455c96c7d8dffda101920cf5435dc2eacf30bba395776c8c1573.exe
          "C:\Users\Admin\AppData\Local\Temp\57a68f016854455c96c7d8dffda101920cf5435dc2eacf30bba395776c8c1573.exe"
          2⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Loads dropped DLL
          • Windows security modification
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1132
          • C:\Program Files (x86)\602game\sgh\sgh.exe
            "C:\Program Files (x86)\602game\sgh\sgh.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:1416
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:1176

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\602game\sgh\sgh.exe
          Filesize

          1023KB

          MD5

          5dcb7c023166f4c5c7dafc644dd2b31e

          SHA1

          29f33244534b573d71f42c17643dde5a06147708

          SHA256

          a17baaa2a19f2bcf81e9d83c747d4c1fe77282b6514205fc92c1e01b3016de8c

          SHA512

          4e6a3cf27d2dcebd1c64e01913dac55a3e3df69726f07ba449dfc92cb189f6021daa8801a6e1e29c2f8b37aaf250d684f2b9013180669526e64dfc2309f5b5d5

          Download Submit

        • C:\Program Files (x86)\602game\sgh\sgh.exe
          Filesize

          1023KB

          MD5

          5dcb7c023166f4c5c7dafc644dd2b31e

          SHA1

          29f33244534b573d71f42c17643dde5a06147708

          SHA256

          a17baaa2a19f2bcf81e9d83c747d4c1fe77282b6514205fc92c1e01b3016de8c

          SHA512

          4e6a3cf27d2dcebd1c64e01913dac55a3e3df69726f07ba449dfc92cb189f6021daa8801a6e1e29c2f8b37aaf250d684f2b9013180669526e64dfc2309f5b5d5

          Download Submit

        • C:\Program Files (x86)\602game\sgh\static.ini
          Filesize

          124B

          MD5

          cf38f2648bdccf4431928075984ae9bc

          SHA1

          63b76c9aaa0412762fc89837ecc1cbb50350c3e2

          SHA256

          70170aea4e2e869eb8a6371a71ef23a41a3adba916cd3e5cb1320e390fef1afb

          SHA512

          42168d298b12bdc010e527af33b0844e410c839d353f2c1a1d64a153fd83a6e8904cedbe3c8d64e18d96004c7b6a9ec743ed06832c2a6bfe1fb0db499d534328

          Download Submit

        • \Program Files (x86)\602game\sgh\sgh.exe
          Filesize

          1023KB

          MD5

          5dcb7c023166f4c5c7dafc644dd2b31e

          SHA1

          29f33244534b573d71f42c17643dde5a06147708

          SHA256

          a17baaa2a19f2bcf81e9d83c747d4c1fe77282b6514205fc92c1e01b3016de8c

          SHA512

          4e6a3cf27d2dcebd1c64e01913dac55a3e3df69726f07ba449dfc92cb189f6021daa8801a6e1e29c2f8b37aaf250d684f2b9013180669526e64dfc2309f5b5d5

          Download Submit

        • \Program Files (x86)\602game\sgh\sgh.exe
          Filesize

          1023KB

          MD5

          5dcb7c023166f4c5c7dafc644dd2b31e

          SHA1

          29f33244534b573d71f42c17643dde5a06147708

          SHA256

          a17baaa2a19f2bcf81e9d83c747d4c1fe77282b6514205fc92c1e01b3016de8c

          SHA512

          4e6a3cf27d2dcebd1c64e01913dac55a3e3df69726f07ba449dfc92cb189f6021daa8801a6e1e29c2f8b37aaf250d684f2b9013180669526e64dfc2309f5b5d5

          Download Submit

        • \Program Files (x86)\602game\sgh\sgh.exe
          Filesize

          1023KB

          MD5

          5dcb7c023166f4c5c7dafc644dd2b31e

          SHA1

          29f33244534b573d71f42c17643dde5a06147708

          SHA256

          a17baaa2a19f2bcf81e9d83c747d4c1fe77282b6514205fc92c1e01b3016de8c

          SHA512

          4e6a3cf27d2dcebd1c64e01913dac55a3e3df69726f07ba449dfc92cb189f6021daa8801a6e1e29c2f8b37aaf250d684f2b9013180669526e64dfc2309f5b5d5

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsd49CE.tmp\NSISdl.dll
          Filesize

          14KB

          MD5

          254f13dfd61c5b7d2119eb2550491e1d

          SHA1

          5083f6804ee3475f3698ab9e68611b0128e22fd6

          SHA256

          fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

          SHA512

          fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

          Download Submit

        • memory/1132-58-0x0000000003BB0000-0x0000000003BB2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1132-57-0x0000000001EB0000-0x0000000002F3E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/1132-54-0x0000000075561000-0x0000000075563000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1132-66-0x0000000000400000-0x0000000000450000-memory.dmp

          Filesize

          320KB

          Download

        • memory/1132-67-0x0000000001EB0000-0x0000000002F3E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/1132-56-0x0000000001EB0000-0x0000000002F3E000-memory.dmp

          Filesize

          16.6MB

          Download

        • memory/1132-55-0x0000000000400000-0x0000000000450000-memory.dmp

          Filesize

          320KB

          Download