Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2022, 08:25
Static task
static1
Behavioral task
behavioral1
Sample
d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe
Resource
win7-20221111-en
windows7-x64
13 signatures
150 seconds
General
-
Target
d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe
-
Size
341KB
-
MD5
307d7ae6da73dc48e7842fd401606aa0
-
SHA1
0d839574c26c9f630c9546278f2716359c89ea83
-
SHA256
d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e
-
SHA512
d7d92347fb3ac49b35f7b7665d7cfc76cf599eecaadcc150d2d1904fe5c88138c4357c03ff367bd19a143132a1ff81d2bccc95be75439bcd4f7548a404ff4dbb
-
SSDEEP
6144:BIAsfbxfdM1Ok/8O1+56qCMTF5gvcmRlh6aOCe:Xq1fK13o56qCQjOe
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe -
resource yara_rule behavioral2/memory/4432-132-0x00000000023B0000-0x000000000343E000-memory.dmp upx behavioral2/memory/4432-135-0x00000000023B0000-0x000000000343E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe Token: SeDebugPrivilege 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4432 wrote to memory of 776 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe 9 PID 4432 wrote to memory of 784 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe 10 PID 4432 wrote to memory of 1016 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe 76 PID 4432 wrote to memory of 2700 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe 42 PID 4432 wrote to memory of 2816 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe 41 PID 4432 wrote to memory of 2868 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe 40 PID 4432 wrote to memory of 2376 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe 23 PID 4432 wrote to memory of 2936 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe 32 PID 4432 wrote to memory of 3276 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe 31 PID 4432 wrote to memory of 3376 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe 24 PID 4432 wrote to memory of 3444 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe 25 PID 4432 wrote to memory of 3532 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe 29 PID 4432 wrote to memory of 3700 4432 d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe 28 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe"C:\Users\Admin\AppData\Local\Temp\d7e6d0e431466059e2b70d93b91d7e50055b526373bef3b5f7d0e46fff2f7e1e.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4432
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3376
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3444
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3700
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3532
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2936
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2816
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2700
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1016