Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    124s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 01:38 UTC

General

  • Target

    f36a432c4115ed6bded01f130bd82c164e3329fb41a97114e159d74d3380db9b.exe

  • Size

    856KB

  • MD5

    92c0ba97d17fc60449d8da8d0b0689b0

  • SHA1

    70bc3b8da5b44b1c6ea927ca4e1a7ce6cf7a30a1

  • SHA256

    f36a432c4115ed6bded01f130bd82c164e3329fb41a97114e159d74d3380db9b

  • SHA512

    2cc3a6a04aa7566111788fc602cf05d9cd4bb620e56e5ee2a7097b256c7a6eb3e2e449a14e1418d14c7c88c19d21541a8554968478f03a9c8586a775c516cb95

  • SSDEEP

    12288:PXQQXlKsrM6VKYnNPFqjOipJbk936F3qWX4SwzAFx:4QVKsrBNA6kJbcqQWX4gn

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
      PID:312
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:784
      • C:\Windows\system32\fontdrvhost.exe
        "fontdrvhost.exe"
        1⤵
          PID:776
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2376
          • C:\Windows\system32\taskhostw.exe
            taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
            1⤵
              PID:2628
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
              1⤵
                PID:2388
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:2432
                  • C:\Users\Admin\AppData\Local\Temp\f36a432c4115ed6bded01f130bd82c164e3329fb41a97114e159d74d3380db9b.exe
                    "C:\Users\Admin\AppData\Local\Temp\f36a432c4115ed6bded01f130bd82c164e3329fb41a97114e159d74d3380db9b.exe"
                    2⤵
                    • Modifies firewall policy service
                    • UAC bypass
                    • Windows security bypass
                    • Windows security modification
                    • Checks whether UAC is enabled
                    • Drops file in Windows directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:4072
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:3544
                  • C:\Windows\System32\RuntimeBroker.exe
                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                    1⤵
                      PID:3412
                    • C:\Windows\System32\RuntimeBroker.exe
                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                      1⤵
                        PID:3896
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                          PID:3348
                        • C:\Windows\system32\DllHost.exe
                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                          1⤵
                            PID:3244
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                            1⤵
                              PID:760
                            • C:\Windows\System32\RuntimeBroker.exe
                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                              1⤵
                                PID:4776
                              • C:\Windows\system32\backgroundTaskHost.exe
                                "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                1⤵
                                  PID:4924
                                • C:\Windows\System32\RuntimeBroker.exe
                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                  1⤵
                                    PID:1636

                                  Network

                                  • flag-us
                                    DNS
                                    151.122.125.40.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    151.122.125.40.in-addr.arpa
                                    IN PTR
                                    Response
                                  • 72.21.81.240:80
                                    92 B
                                    80 B
                                    2
                                    2
                                  • 93.184.221.240:80
                                    46 B
                                    40 B
                                    1
                                    1
                                  • 209.197.3.8:80
                                    260 B
                                    5
                                  • 20.42.72.131:443
                                    322 B
                                    7
                                  • 8.253.135.241:80
                                    322 B
                                    7
                                  • 209.197.3.8:80
                                    260 B
                                    5
                                  • 209.197.3.8:80
                                    260 B
                                    5
                                  • 8.253.135.241:80
                                    322 B
                                    7
                                  • 209.197.3.8:80
                                    322 B
                                    7
                                  • 209.197.3.8:80
                                    322 B
                                    7
                                  • 8.8.8.8:53
                                    151.122.125.40.in-addr.arpa
                                    dns
                                    73 B
                                    159 B
                                    1
                                    1

                                    DNS Request

                                    151.122.125.40.in-addr.arpa

                                  MITRE ATT&CK Enterprise v6

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • memory/4072-132-0x0000000000400000-0x00000000004D8000-memory.dmp

                                    Filesize

                                    864KB

                                  • memory/4072-133-0x00000000023E0000-0x000000000346E000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/4072-134-0x00000000023E0000-0x000000000346E000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/4072-135-0x0000000000400000-0x00000000004D8000-memory.dmp

                                    Filesize

                                    864KB

                                  • memory/4072-136-0x00000000023E0000-0x000000000346E000-memory.dmp

                                    Filesize

                                    16.6MB

                                  We care about your privacy.

                                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.