Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

NEAS.3fbd7...JC.dll

windows7-x64

10

NEAS.3fbd7...JC.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    22/10/2023, 13:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.3fbd7d4a57a164798b4857d39330d940_JC.dll

  • Size

    120KB

  • MD5

    3fbd7d4a57a164798b4857d39330d940

  • SHA1

    6f93225454af95ea94f33f197e101e93073753dd

  • SHA256

    29ac6dc66bd7d3ff4f449a80662bb2547c793b67277ae69e6f51289ef3d6476d

  • SHA512

    1939c359e443ba2bc372da354e6e4371552507e184c629504d728be95b404706d50e6322dd02f2cad32bd0aafb0f96128b73d761fac377c3c1de38fda5311aba

  • SSDEEP

    3072:kjkQQ4OKihJ0im5wj1WkoJwtiVEkRqDT:kjNpXimuj1WkzwFAX

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 7 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    1⤵
      PID:344
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1288
        • C:\Windows\system32\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.3fbd7d4a57a164798b4857d39330d940_JC.dll,#1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2136
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.3fbd7d4a57a164798b4857d39330d940_JC.dll,#1
            3⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2880
            • C:\Users\Admin\AppData\Local\Temp\f76cb4b.exe
              C:\Users\Admin\AppData\Local\Temp\f76cb4b.exe
              4⤵
              • Modifies firewall policy service
              • UAC bypass
              • Windows security bypass
              • Executes dropped EXE
              • Windows security modification
              • Checks whether UAC is enabled
              • Enumerates connected drives
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2676
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:1244
        • C:\Windows\system32\taskhost.exe
          "taskhost.exe"
          1⤵
            PID:1148

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\f76cb4b.exe
            Filesize

            97KB

            MD5

            793d8ea692e2cad142347768649a6ffc

            SHA1

            1298079032fdf2798957ff02f4ce997bde6ba551

            SHA256

            0d1176608469c57f906195f093c645df08dac2a56b36a38a24fc767c710e65e7

            SHA512

            094d1fcc4a890ecfeaf418be3f6e00b5a3b3e9d3ddf136eadb23af61be9e599d7a79bdb786839db37908bbcc028438f95dea243607324c4ba04b4c43dde1b18a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\f76cb4b.exe
            Filesize

            97KB

            MD5

            793d8ea692e2cad142347768649a6ffc

            SHA1

            1298079032fdf2798957ff02f4ce997bde6ba551

            SHA256

            0d1176608469c57f906195f093c645df08dac2a56b36a38a24fc767c710e65e7

            SHA512

            094d1fcc4a890ecfeaf418be3f6e00b5a3b3e9d3ddf136eadb23af61be9e599d7a79bdb786839db37908bbcc028438f95dea243607324c4ba04b4c43dde1b18a

            Download Submit

          • \Users\Admin\AppData\Local\Temp\f76cb4b.exe
            Filesize

            97KB

            MD5

            793d8ea692e2cad142347768649a6ffc

            SHA1

            1298079032fdf2798957ff02f4ce997bde6ba551

            SHA256

            0d1176608469c57f906195f093c645df08dac2a56b36a38a24fc767c710e65e7

            SHA512

            094d1fcc4a890ecfeaf418be3f6e00b5a3b3e9d3ddf136eadb23af61be9e599d7a79bdb786839db37908bbcc028438f95dea243607324c4ba04b4c43dde1b18a

            Download Submit

          • \Users\Admin\AppData\Local\Temp\f76cb4b.exe
            Filesize

            97KB

            MD5

            793d8ea692e2cad142347768649a6ffc

            SHA1

            1298079032fdf2798957ff02f4ce997bde6ba551

            SHA256

            0d1176608469c57f906195f093c645df08dac2a56b36a38a24fc767c710e65e7

            SHA512

            094d1fcc4a890ecfeaf418be3f6e00b5a3b3e9d3ddf136eadb23af61be9e599d7a79bdb786839db37908bbcc028438f95dea243607324c4ba04b4c43dde1b18a

            Download Submit

          • memory/1148-19-0x0000000001B80000-0x0000000001B82000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2676-33-0x00000000003D0000-0x00000000003D2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2676-40-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-76-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-79-0x00000000003D0000-0x00000000003D2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2676-14-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-16-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-69-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-11-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2676-17-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-21-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-27-0x00000000003D0000-0x00000000003D2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2676-28-0x00000000003E0000-0x00000000003E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2676-25-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-65-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-34-0x00000000003E0000-0x00000000003E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2676-32-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-35-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-61-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-42-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-43-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-45-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-46-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-47-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-49-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-51-0x00000000003D0000-0x00000000003D2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2676-50-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-52-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-57-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-59-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2880-13-0x0000000000150000-0x0000000000162000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2880-1-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2880-18-0x0000000000150000-0x0000000000152000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2880-10-0x0000000000150000-0x0000000000162000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2880-3-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download