Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    73s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 16:00

General

  • Target

    d9432f096c58b8a0a36f27dfd0694df3cda62c1aee4fc791546d28bb531289ae.exe

  • Size

    238KB

  • MD5

    0df275014b644f383e9549efccb52770

  • SHA1

    258d48a71da29bd26cdc7af7c4b24f633041d6c6

  • SHA256

    d9432f096c58b8a0a36f27dfd0694df3cda62c1aee4fc791546d28bb531289ae

  • SHA512

    a56fb408cb775e35f38e1e6648d5be823efaf3375ac876979067d7b4492addea5db887c6fbc55494eee715e7ab12b65f71f08eca6aabcf97176c298164829074

  • SSDEEP

    3072:InnAQVG/LytaKItS/fiLKS+f5Aq7iOmO0htrNn5a938J/TWcx2Jijq+wPIEryvy:EOTeHI8HiL7+f5D8J5WAqIOZPnx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

http://klkjwre77638dfqwieuoi888.info/

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • Windows security bypass 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9432f096c58b8a0a36f27dfd0694df3cda62c1aee4fc791546d28bb531289ae.exe
    "C:\Users\Admin\AppData\Local\Temp\d9432f096c58b8a0a36f27dfd0694df3cda62c1aee4fc791546d28bb531289ae.exe"
    1⤵
    • Windows security bypass
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Windows security modification
    PID:1728

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~TMCDC4.tmp

    Filesize

    1.6MB

    MD5

    4f3387277ccbd6d1f21ac5c07fe4ca68

    SHA1

    e16506f662dc92023bf82def1d621497c8ab5890

    SHA256

    767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

    SHA512

    9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

  • memory/1728-132-0x00000000023C0000-0x000000000344E000-memory.dmp

    Filesize

    16.6MB

  • memory/1728-133-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/1728-134-0x00000000023C0000-0x000000000344E000-memory.dmp

    Filesize

    16.6MB

  • memory/1728-135-0x00000000021F0000-0x000000000222E000-memory.dmp

    Filesize

    248KB

  • memory/1728-137-0x00000000023C0000-0x000000000344E000-memory.dmp

    Filesize

    16.6MB

  • memory/1728-138-0x0000000077DB0000-0x0000000077F53000-memory.dmp

    Filesize

    1.6MB