Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

NEAS.bf025...90.dll

windows7-x64

10

NEAS.bf025...90.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    22/10/2023, 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.bf0252fb37b0ea288eb95f7a1efab790.dll

  • Size

    120KB

  • MD5

    bf0252fb37b0ea288eb95f7a1efab790

  • SHA1

    7ec6826af6c96c1eb16407951398578a6795d435

  • SHA256

    07f30401b80deb5f5d379207df94bb69da730c9f3c4f55a7e9f9456a3f4c247a

  • SHA512

    9a7a63ecba6e9d8cdeda2cdc05ce4c8729a9d3f40984961f3b1efe4c4c342fb112383124dde8312cb082b7ef152b017db84eebea399694457a6c43197d0cadb2

  • SSDEEP

    1536:62FwS9Jjdr8umXZWuXEgBAu0xo64IN7QEdTgJo6b0f83TXuPSdtA:62FdRxy7Xloxo64abIA8Ta2

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 5 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.bf0252fb37b0ea288eb95f7a1efab790.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.bf0252fb37b0ea288eb95f7a1efab790.dll,#1
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Users\Admin\AppData\Local\Temp\f76dda2.exe
        C:\Users\Admin\AppData\Local\Temp\f76dda2.exe
        3⤵
        • Modifies firewall policy service
        • UAC bypass
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2360
      • C:\Users\Admin\AppData\Local\Temp\f76f538.exe
        C:\Users\Admin\AppData\Local\Temp\f76f538.exe
        3⤵
        • Executes dropped EXE
        PID:2800
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1180
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1136
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1060

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\f76dda2.exe
          Filesize

          97KB

          MD5

          db1af904d9e9fb4b76fd4df6de08899a

          SHA1

          c8dce04f015b3dbcc1b8327cbac33019af86d25f

          SHA256

          2a8b3e1bfcf42a04156b3cfab9256c9720541bd059f3ec38c6fc15aa3a550797

          SHA512

          be59925891e6d50ad8f9b735dba09d892f13eeb30385e0ac42a17b6352a6418069f103735df00b05464ce991bc2b742b6628b3c2bd46858687a26531db190311

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\f76dda2.exe
          Filesize

          97KB

          MD5

          db1af904d9e9fb4b76fd4df6de08899a

          SHA1

          c8dce04f015b3dbcc1b8327cbac33019af86d25f

          SHA256

          2a8b3e1bfcf42a04156b3cfab9256c9720541bd059f3ec38c6fc15aa3a550797

          SHA512

          be59925891e6d50ad8f9b735dba09d892f13eeb30385e0ac42a17b6352a6418069f103735df00b05464ce991bc2b742b6628b3c2bd46858687a26531db190311

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\f76f538.exe
          Filesize

          97KB

          MD5

          db1af904d9e9fb4b76fd4df6de08899a

          SHA1

          c8dce04f015b3dbcc1b8327cbac33019af86d25f

          SHA256

          2a8b3e1bfcf42a04156b3cfab9256c9720541bd059f3ec38c6fc15aa3a550797

          SHA512

          be59925891e6d50ad8f9b735dba09d892f13eeb30385e0ac42a17b6352a6418069f103735df00b05464ce991bc2b742b6628b3c2bd46858687a26531db190311

          Download Submit

        • \Users\Admin\AppData\Local\Temp\f76dda2.exe
          Filesize

          97KB

          MD5

          db1af904d9e9fb4b76fd4df6de08899a

          SHA1

          c8dce04f015b3dbcc1b8327cbac33019af86d25f

          SHA256

          2a8b3e1bfcf42a04156b3cfab9256c9720541bd059f3ec38c6fc15aa3a550797

          SHA512

          be59925891e6d50ad8f9b735dba09d892f13eeb30385e0ac42a17b6352a6418069f103735df00b05464ce991bc2b742b6628b3c2bd46858687a26531db190311

          Download Submit

        • \Users\Admin\AppData\Local\Temp\f76dda2.exe
          Filesize

          97KB

          MD5

          db1af904d9e9fb4b76fd4df6de08899a

          SHA1

          c8dce04f015b3dbcc1b8327cbac33019af86d25f

          SHA256

          2a8b3e1bfcf42a04156b3cfab9256c9720541bd059f3ec38c6fc15aa3a550797

          SHA512

          be59925891e6d50ad8f9b735dba09d892f13eeb30385e0ac42a17b6352a6418069f103735df00b05464ce991bc2b742b6628b3c2bd46858687a26531db190311

          Download Submit

        • \Users\Admin\AppData\Local\Temp\f76f538.exe
          Filesize

          97KB

          MD5

          db1af904d9e9fb4b76fd4df6de08899a

          SHA1

          c8dce04f015b3dbcc1b8327cbac33019af86d25f

          SHA256

          2a8b3e1bfcf42a04156b3cfab9256c9720541bd059f3ec38c6fc15aa3a550797

          SHA512

          be59925891e6d50ad8f9b735dba09d892f13eeb30385e0ac42a17b6352a6418069f103735df00b05464ce991bc2b742b6628b3c2bd46858687a26531db190311

          Download Submit

        • \Users\Admin\AppData\Local\Temp\f76f538.exe
          Filesize

          97KB

          MD5

          db1af904d9e9fb4b76fd4df6de08899a

          SHA1

          c8dce04f015b3dbcc1b8327cbac33019af86d25f

          SHA256

          2a8b3e1bfcf42a04156b3cfab9256c9720541bd059f3ec38c6fc15aa3a550797

          SHA512

          be59925891e6d50ad8f9b735dba09d892f13eeb30385e0ac42a17b6352a6418069f103735df00b05464ce991bc2b742b6628b3c2bd46858687a26531db190311

          Download Submit

        • memory/1060-19-0x0000000000150000-0x0000000000152000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1720-2-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1720-39-0x0000000000360000-0x0000000000361000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1720-0-0x0000000010000000-0x0000000010020000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1720-4-0x0000000000170000-0x0000000000182000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1720-49-0x00000000003C0000-0x00000000003D2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1720-55-0x0000000000170000-0x0000000000172000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1720-50-0x00000000001E0000-0x00000000001E2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1720-37-0x00000000001E0000-0x00000000001E2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1720-28-0x00000000001E0000-0x00000000001E2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1720-38-0x0000000000360000-0x0000000000361000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1720-10-0x0000000000170000-0x0000000000182000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2360-16-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-67-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-24-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-21-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-18-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-17-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-82-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-14-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-34-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-12-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2360-57-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-61-0x0000000000560000-0x0000000000561000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2360-62-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-64-0x00000000002F0000-0x00000000002F2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2360-65-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-66-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-26-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-69-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-70-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-71-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-73-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2360-74-0x00000000002F0000-0x00000000002F2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2360-76-0x0000000000670000-0x000000000172A000-memory.dmp

          Filesize

          16.7MB

          Download

        • memory/2800-52-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download