Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    30/08/2023, 21:50 UTC

General

  • Target

    524d972f381d6cd207f823a801673f400d3e8725dd346ca44bdfa6a36499c977.exe

  • Size

    8.0MB

  • MD5

    e53479bea8c4eabd029a20d36857dee6

  • SHA1

    394e933592c8e0f59c7c391f82fdc65a6ed1ab6d

  • SHA256

    524d972f381d6cd207f823a801673f400d3e8725dd346ca44bdfa6a36499c977

  • SHA512

    855207394eaf90f49cc3b8f5d97eb79d91a7a4746827466c1fd52ab37215e0d9d00c76ccc4f4c5c77f0111f035144e161a82e02f12e094d6106722ccb5ebf9f0

  • SSDEEP

    196608:qk2XqEPNE4T2Lv2I4ojlDSbwlIZBU7VDrRLHnKdX:NelgdlebwyZqFSX

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    1⤵
      PID:2640
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1228
        • C:\Users\Admin\AppData\Local\Temp\524d972f381d6cd207f823a801673f400d3e8725dd346ca44bdfa6a36499c977.exe
          "C:\Users\Admin\AppData\Local\Temp\524d972f381d6cd207f823a801673f400d3e8725dd346ca44bdfa6a36499c977.exe"
          2⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Windows security modification
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2408
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:1176
        • C:\Windows\system32\taskhost.exe
          "taskhost.exe"
          1⤵
            PID:1112

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1112-8-0x0000000000320000-0x0000000000322000-memory.dmp

            Filesize

            8KB

          • memory/2408-23-0x0000000001320000-0x0000000001321000-memory.dmp

            Filesize

            4KB

          • memory/2408-26-0x00000000003F0000-0x00000000003F2000-memory.dmp

            Filesize

            8KB

          • memory/2408-2-0x0000000003220000-0x00000000042DA000-memory.dmp

            Filesize

            16.7MB

          • memory/2408-6-0x0000000001A30000-0x000000000288B000-memory.dmp

            Filesize

            14.4MB

          • memory/2408-5-0x0000000003220000-0x00000000042DA000-memory.dmp

            Filesize

            16.7MB

          • memory/2408-1-0x0000000001A30000-0x000000000288B000-memory.dmp

            Filesize

            14.4MB

          • memory/2408-7-0x0000000003220000-0x00000000042DA000-memory.dmp

            Filesize

            16.7MB

          • memory/2408-11-0x0000000003220000-0x00000000042DA000-memory.dmp

            Filesize

            16.7MB

          • memory/2408-18-0x00000000003F0000-0x00000000003F2000-memory.dmp

            Filesize

            8KB

          • memory/2408-28-0x0000000001320000-0x0000000001321000-memory.dmp

            Filesize

            4KB

          • memory/2408-3-0x0000000001A30000-0x000000000288B000-memory.dmp

            Filesize

            14.4MB

          • memory/2408-16-0x0000000003220000-0x00000000042DA000-memory.dmp

            Filesize

            16.7MB

          • memory/2408-0-0x0000000000400000-0x000000000125B000-memory.dmp

            Filesize

            14.4MB

          • memory/2408-27-0x0000000003220000-0x00000000042DA000-memory.dmp

            Filesize

            16.7MB

          • memory/2408-29-0x0000000003220000-0x00000000042DA000-memory.dmp

            Filesize

            16.7MB

          • memory/2408-30-0x0000000003220000-0x00000000042DA000-memory.dmp

            Filesize

            16.7MB

          • memory/2408-31-0x0000000003220000-0x00000000042DA000-memory.dmp

            Filesize

            16.7MB

          • memory/2408-32-0x0000000003220000-0x00000000042DA000-memory.dmp

            Filesize

            16.7MB

          • memory/2408-33-0x0000000003220000-0x00000000042DA000-memory.dmp

            Filesize

            16.7MB

          • memory/2408-38-0x00000000003F0000-0x00000000003F2000-memory.dmp

            Filesize

            8KB

          • memory/2408-34-0x0000000003220000-0x00000000042DA000-memory.dmp

            Filesize

            16.7MB

          • memory/2408-51-0x0000000000400000-0x000000000125B000-memory.dmp

            Filesize

            14.4MB

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.