Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
-
submitted
21/10/2023, 21:27
General
-
Target
NEAS.a28a054ef02fad5162ebe58599860d30.dll
-
Size
120KB
-
MD5
a28a054ef02fad5162ebe58599860d30
-
SHA1
a3a37238132d5bbb43a8fb955d88c9efc660e44a
-
SHA256
162378b57cb5ffc29a00120725e8793f07a93f506783151e21e94b65647d13ba
-
SHA512
7cad2829760e0d8c436d19b2221e7c5977ad509fce4496914aa49c6c26c2b47af1f670bc885d1a665f6ae4707562777510ae46ada44096f3b04373cafc31c15c
-
SSDEEP
3072:n2vg20tu6fiquMnJhgl8K7wPMNIBWGNoo69S2Gx2gt4:IP4u/n9xiB5iSL4gt
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 39 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.a28a054ef02fad5162ebe58599860d30.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.a28a054ef02fad5162ebe58599860d30.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7643b4.exeC:\Users\Admin\AppData\Local\Temp\f7643b4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f764c2d.exeC:\Users\Admin\AppData\Local\Temp\f764c2d.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f76582e.exeC:\Users\Admin\AppData\Local\Temp\f76582e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5516c6553e31fe1d9705c5b56f8294304
SHA18b3075c4d87fa77fadcba5e8593a05131ca4cfd4
SHA25660f82427c9898e85888b1947b38383ab5824a651e0e20dda8f3252115acac1cc
SHA512fce75a4a5665d7792f8c99e30ea4702da4c10526408da3e2e82d97442bd034cfc4c71b603c9c564bd8ed3981151d2d7ba89bf7ef9b936e165dc6a3a2a74cc9fa
-
Filesize
97KB
MD5516c6553e31fe1d9705c5b56f8294304
SHA18b3075c4d87fa77fadcba5e8593a05131ca4cfd4
SHA25660f82427c9898e85888b1947b38383ab5824a651e0e20dda8f3252115acac1cc
SHA512fce75a4a5665d7792f8c99e30ea4702da4c10526408da3e2e82d97442bd034cfc4c71b603c9c564bd8ed3981151d2d7ba89bf7ef9b936e165dc6a3a2a74cc9fa
-
Filesize
97KB
MD5516c6553e31fe1d9705c5b56f8294304
SHA18b3075c4d87fa77fadcba5e8593a05131ca4cfd4
SHA25660f82427c9898e85888b1947b38383ab5824a651e0e20dda8f3252115acac1cc
SHA512fce75a4a5665d7792f8c99e30ea4702da4c10526408da3e2e82d97442bd034cfc4c71b603c9c564bd8ed3981151d2d7ba89bf7ef9b936e165dc6a3a2a74cc9fa
-
Filesize
97KB
MD5516c6553e31fe1d9705c5b56f8294304
SHA18b3075c4d87fa77fadcba5e8593a05131ca4cfd4
SHA25660f82427c9898e85888b1947b38383ab5824a651e0e20dda8f3252115acac1cc
SHA512fce75a4a5665d7792f8c99e30ea4702da4c10526408da3e2e82d97442bd034cfc4c71b603c9c564bd8ed3981151d2d7ba89bf7ef9b936e165dc6a3a2a74cc9fa
-
Filesize
257B
MD55d091e297b9945a95842ffd5ccb12257
SHA1d2f040b455d18c07cc892804006878ac08ac18fb
SHA25625bdf07e740acfa35bae8a110bcd90865b5d0b7dc5068fdb74ebff4dce3790a5
SHA512d6827399b8863c277d96b60114cce12b6312e2539e196631e3ba7616fdffba35f7e5e7bf8df0c130c3b69dbdea303c62c6a954d8ac779f75a400cbab11285f24
-
Filesize
97KB
MD5516c6553e31fe1d9705c5b56f8294304
SHA18b3075c4d87fa77fadcba5e8593a05131ca4cfd4
SHA25660f82427c9898e85888b1947b38383ab5824a651e0e20dda8f3252115acac1cc
SHA512fce75a4a5665d7792f8c99e30ea4702da4c10526408da3e2e82d97442bd034cfc4c71b603c9c564bd8ed3981151d2d7ba89bf7ef9b936e165dc6a3a2a74cc9fa
-
Filesize
97KB
MD5516c6553e31fe1d9705c5b56f8294304
SHA18b3075c4d87fa77fadcba5e8593a05131ca4cfd4
SHA25660f82427c9898e85888b1947b38383ab5824a651e0e20dda8f3252115acac1cc
SHA512fce75a4a5665d7792f8c99e30ea4702da4c10526408da3e2e82d97442bd034cfc4c71b603c9c564bd8ed3981151d2d7ba89bf7ef9b936e165dc6a3a2a74cc9fa
-
Filesize
97KB
MD5516c6553e31fe1d9705c5b56f8294304
SHA18b3075c4d87fa77fadcba5e8593a05131ca4cfd4
SHA25660f82427c9898e85888b1947b38383ab5824a651e0e20dda8f3252115acac1cc
SHA512fce75a4a5665d7792f8c99e30ea4702da4c10526408da3e2e82d97442bd034cfc4c71b603c9c564bd8ed3981151d2d7ba89bf7ef9b936e165dc6a3a2a74cc9fa
-
Filesize
97KB
MD5516c6553e31fe1d9705c5b56f8294304
SHA18b3075c4d87fa77fadcba5e8593a05131ca4cfd4
SHA25660f82427c9898e85888b1947b38383ab5824a651e0e20dda8f3252115acac1cc
SHA512fce75a4a5665d7792f8c99e30ea4702da4c10526408da3e2e82d97442bd034cfc4c71b603c9c564bd8ed3981151d2d7ba89bf7ef9b936e165dc6a3a2a74cc9fa
-
Filesize
97KB
MD5516c6553e31fe1d9705c5b56f8294304
SHA18b3075c4d87fa77fadcba5e8593a05131ca4cfd4
SHA25660f82427c9898e85888b1947b38383ab5824a651e0e20dda8f3252115acac1cc
SHA512fce75a4a5665d7792f8c99e30ea4702da4c10526408da3e2e82d97442bd034cfc4c71b603c9c564bd8ed3981151d2d7ba89bf7ef9b936e165dc6a3a2a74cc9fa
-
Filesize
97KB
MD5516c6553e31fe1d9705c5b56f8294304
SHA18b3075c4d87fa77fadcba5e8593a05131ca4cfd4
SHA25660f82427c9898e85888b1947b38383ab5824a651e0e20dda8f3252115acac1cc
SHA512fce75a4a5665d7792f8c99e30ea4702da4c10526408da3e2e82d97442bd034cfc4c71b603c9c564bd8ed3981151d2d7ba89bf7ef9b936e165dc6a3a2a74cc9fa
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB