Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 01:59

General

  • Target

    37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe

  • Size

    206KB

  • MD5

    93dfc059eca953f965daffbd5bfdcc20

  • SHA1

    6c65353faf17815857e0bb474681eb42c5291978

  • SHA256

    37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced

  • SHA512

    2c18b9600ebd9fec54cd2f774cb2ebcec11a1c0030f233ddbe555e4378ee39c9025b9448bb2f550203abbc9d28e5513637409a3b7ce65cb33e38ce128bdb6cee

  • SSDEEP

    3072:rkqoCl/YgjxEufVU0TbTyDDalbyCH99X5tpX2vz4eAILUr:rjLqdufVUNDar9JHX2vEI0

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • UAC bypass 3 TTPs 2 IoCs
  • Windows security bypass 2 TTPs 12 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables Task Manager via registry modification
  • Executes dropped EXE 4 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 14 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:764
    • C:\Windows\system32\dwm.exe
      "dwm.exe"
      1⤵
        PID:1016
      • C:\Windows\system32\fontdrvhost.exe
        "fontdrvhost.exe"
        1⤵
          PID:772
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2288
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:3416
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
                PID:3356
              • C:\Windows\system32\backgroundTaskHost.exe
                "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                1⤵
                  PID:4420
                • C:\Windows\System32\RuntimeBroker.exe
                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                  1⤵
                    PID:4652
                  • C:\Windows\System32\RuntimeBroker.exe
                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                    1⤵
                      PID:3688
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                        PID:3568
                      • C:\Windows\system32\DllHost.exe
                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                        1⤵
                          PID:3248
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                          1⤵
                            PID:2832
                          • C:\Windows\Explorer.EXE
                            C:\Windows\Explorer.EXE
                            1⤵
                              PID:3048
                              • C:\Users\Admin\AppData\Local\Temp\37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe
                                "C:\Users\Admin\AppData\Local\Temp\37bf19531b49d2c47c2b4af16bc69850df0691e7dd4229a6a883193b50685ced.exe"
                                2⤵
                                • UAC bypass
                                • Windows security bypass
                                • Disables RegEdit via registry modification
                                • Windows security modification
                                • Checks whether UAC is enabled
                                • Drops file in Windows directory
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of SetWindowsHookEx
                                • Suspicious use of WriteProcessMemory
                                • System policy modification
                                PID:4396
                                • \??\c:\windows\resources\themes\explorer.exe
                                  c:\windows\resources\themes\explorer.exe
                                  3⤵
                                  • Modifies visiblity of hidden/system files in Explorer
                                  • UAC bypass
                                  • Windows security bypass
                                  • Disables RegEdit via registry modification
                                  • Executes dropped EXE
                                  • Windows security modification
                                  • Adds Run key to start application
                                  • Checks whether UAC is enabled
                                  • Drops file in System32 directory
                                  • Drops file in Program Files directory
                                  • Drops file in Windows directory
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of SetWindowsHookEx
                                  • Suspicious use of WriteProcessMemory
                                  • System policy modification
                                  PID:4548
                                  • \??\c:\windows\resources\spoolsv.exe
                                    c:\windows\resources\spoolsv.exe SE
                                    4⤵
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    • Suspicious use of SetWindowsHookEx
                                    • Suspicious use of WriteProcessMemory
                                    PID:4588
                                    • \??\c:\windows\resources\svchost.exe
                                      c:\windows\resources\svchost.exe
                                      5⤵
                                      • Modifies visiblity of hidden/system files in Explorer
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Drops file in System32 directory
                                      • Suspicious behavior: GetForegroundWindowSpam
                                      • Suspicious use of SetWindowsHookEx
                                      • Suspicious use of WriteProcessMemory
                                      PID:3488
                                      • \??\c:\windows\resources\spoolsv.exe
                                        c:\windows\resources\spoolsv.exe PR
                                        6⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetWindowsHookEx
                                        PID:3208
                            • C:\Windows\system32\taskhostw.exe
                              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                              1⤵
                                PID:2436
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                1⤵
                                  PID:2296
                                • C:\Windows\System32\RuntimeBroker.exe
                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                  1⤵
                                    PID:384

                                  Network

                                  MITRE ATT&CK Enterprise v6

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Windows\Resources\Themes\explorer.exe

                                    Filesize

                                    206KB

                                    MD5

                                    4e1084dfe288d50bebd2da26ca9fd877

                                    SHA1

                                    7f1fcb2105bfe115937e2484985c68a77e08d834

                                    SHA256

                                    250e9a1e191ddf1302fefb8e47eef8d0950e07d7d1e56e436645c433576c2d34

                                    SHA512

                                    3ab9af77d08cdf80491e7e9f8e5e2b2a5b7302ca5823b894d1782d698cbcd655441f7d172db428f3078daf9854004aa65bcf22fc25d0d2fb66cc43195d34f65c

                                  • C:\Windows\Resources\spoolsv.exe

                                    Filesize

                                    206KB

                                    MD5

                                    5a465167942299d2b460f17192ee2369

                                    SHA1

                                    6e6442e481bf06701286419374e26d4ae7efe6a7

                                    SHA256

                                    ff4f256b47811e50410fc5cfb3d57dd7fbb3fe18d19fc297a414571e70fa1e79

                                    SHA512

                                    833c7f915c80928aefffc822bb51c5a828f9d224f6964e8cec325390c521cdb7f23a307be517f94ab88cac48a6603b4e88ef28b6fa6633762eb9f8b8f1fcdab6

                                  • C:\Windows\Resources\spoolsv.exe

                                    Filesize

                                    206KB

                                    MD5

                                    5a465167942299d2b460f17192ee2369

                                    SHA1

                                    6e6442e481bf06701286419374e26d4ae7efe6a7

                                    SHA256

                                    ff4f256b47811e50410fc5cfb3d57dd7fbb3fe18d19fc297a414571e70fa1e79

                                    SHA512

                                    833c7f915c80928aefffc822bb51c5a828f9d224f6964e8cec325390c521cdb7f23a307be517f94ab88cac48a6603b4e88ef28b6fa6633762eb9f8b8f1fcdab6

                                  • C:\Windows\Resources\svchost.exe

                                    Filesize

                                    206KB

                                    MD5

                                    43e574fe8c7c78247c4f771da616d92d

                                    SHA1

                                    121c52280c896cbf631392877ee8f6eb5c5d868b

                                    SHA256

                                    40ebda506827976ba2aab133148cf3278943d66bd5d7a7ed6229acb8ef9b150b

                                    SHA512

                                    45f9b4f2f0dd765f9dc3b16e9b1c28bdf1567231f74e7dba812dee34fe5cdb7243d09694641b43c525e4195baf9c0b0c31cea987d67dcc511a75200c71b2327b

                                  • C:\Windows\SYSTEM.INI

                                    Filesize

                                    257B

                                    MD5

                                    d53e9fb3ea70f34265ae3861759cae99

                                    SHA1

                                    c94471d8e66e17d0fa0ccfd2b3403c4412c34518

                                    SHA256

                                    c96b01925973f668367424f32e129827f5dcc8113871db811b95a76e567bf356

                                    SHA512

                                    50f3722879c11db9f54a1a37bf9fdc71d0e8b1d97ed6eaed19348688ee9bb60785b00b22e5a01750c35a00a6573cd7a29b30757d5bfd97d4a49ec0818e0c26a0

                                  • \??\c:\windows\resources\spoolsv.exe

                                    Filesize

                                    206KB

                                    MD5

                                    5a465167942299d2b460f17192ee2369

                                    SHA1

                                    6e6442e481bf06701286419374e26d4ae7efe6a7

                                    SHA256

                                    ff4f256b47811e50410fc5cfb3d57dd7fbb3fe18d19fc297a414571e70fa1e79

                                    SHA512

                                    833c7f915c80928aefffc822bb51c5a828f9d224f6964e8cec325390c521cdb7f23a307be517f94ab88cac48a6603b4e88ef28b6fa6633762eb9f8b8f1fcdab6

                                  • \??\c:\windows\resources\svchost.exe

                                    Filesize

                                    206KB

                                    MD5

                                    43e574fe8c7c78247c4f771da616d92d

                                    SHA1

                                    121c52280c896cbf631392877ee8f6eb5c5d868b

                                    SHA256

                                    40ebda506827976ba2aab133148cf3278943d66bd5d7a7ed6229acb8ef9b150b

                                    SHA512

                                    45f9b4f2f0dd765f9dc3b16e9b1c28bdf1567231f74e7dba812dee34fe5cdb7243d09694641b43c525e4195baf9c0b0c31cea987d67dcc511a75200c71b2327b

                                  • \??\c:\windows\resources\themes\explorer.exe

                                    Filesize

                                    206KB

                                    MD5

                                    4e1084dfe288d50bebd2da26ca9fd877

                                    SHA1

                                    7f1fcb2105bfe115937e2484985c68a77e08d834

                                    SHA256

                                    250e9a1e191ddf1302fefb8e47eef8d0950e07d7d1e56e436645c433576c2d34

                                    SHA512

                                    3ab9af77d08cdf80491e7e9f8e5e2b2a5b7302ca5823b894d1782d698cbcd655441f7d172db428f3078daf9854004aa65bcf22fc25d0d2fb66cc43195d34f65c

                                  • memory/3208-164-0x0000000000400000-0x000000000042F000-memory.dmp

                                    Filesize

                                    188KB

                                  • memory/3488-172-0x0000000000400000-0x000000000042F000-memory.dmp

                                    Filesize

                                    188KB

                                  • memory/3488-163-0x0000000000400000-0x000000000042F000-memory.dmp

                                    Filesize

                                    188KB

                                  • memory/4396-166-0x0000000000400000-0x000000000042F000-memory.dmp

                                    Filesize

                                    188KB

                                  • memory/4396-132-0x0000000000400000-0x000000000042F000-memory.dmp

                                    Filesize

                                    188KB

                                  • memory/4396-146-0x0000000002CF0000-0x0000000003D7D000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/4396-167-0x0000000002CF0000-0x0000000003D7D000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/4396-133-0x0000000002CF0000-0x0000000003D7D000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/4548-147-0x0000000000400000-0x000000000042F000-memory.dmp

                                    Filesize

                                    188KB

                                  • memory/4548-168-0x0000000003270000-0x00000000042FD000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/4548-170-0x0000000003270000-0x00000000042FD000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/4548-171-0x0000000000400000-0x000000000042F000-memory.dmp

                                    Filesize

                                    188KB

                                  • memory/4588-162-0x0000000000400000-0x000000000042F000-memory.dmp

                                    Filesize

                                    188KB

                                  • memory/4588-165-0x0000000000400000-0x000000000042F000-memory.dmp

                                    Filesize

                                    188KB