Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
28s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
22/10/2023, 17:27
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.bf0252fb37b0ea288eb95f7a1efab790.dll
Resource
win7-20230831-en
General
-
Target
NEAS.bf0252fb37b0ea288eb95f7a1efab790.dll
-
Size
120KB
-
MD5
bf0252fb37b0ea288eb95f7a1efab790
-
SHA1
7ec6826af6c96c1eb16407951398578a6795d435
-
SHA256
07f30401b80deb5f5d379207df94bb69da730c9f3c4f55a7e9f9456a3f4c247a
-
SHA512
9a7a63ecba6e9d8cdeda2cdc05ce4c8729a9d3f40984961f3b1efe4c4c342fb112383124dde8312cb082b7ef152b017db84eebea399694457a6c43197d0cadb2
-
SSDEEP
1536:62FwS9Jjdr8umXZWuXEgBAu0xo64IN7QEdTgJo6b0f83TXuPSdtA:62FdRxy7Xloxo64abIA8Ta2
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76dda2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76dda2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76dda2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76dda2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76dda2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76dda2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76dda2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76dda2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76dda2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76dda2.exe -
Executes dropped EXE 2 IoCs
pid Process 2360 f76dda2.exe 2800 f76f538.exe -
Loads dropped DLL 4 IoCs
pid Process 1720 rundll32.exe 1720 rundll32.exe 1720 rundll32.exe 1720 rundll32.exe -
resource yara_rule behavioral1/memory/2360-14-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-16-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-17-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-18-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-21-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-24-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-26-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-34-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-57-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-62-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-65-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-66-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-67-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-69-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-70-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-71-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-73-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-76-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2360-82-0x0000000000670000-0x000000000172A000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76dda2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76dda2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76dda2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76dda2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76dda2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76dda2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76dda2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76dda2.exe -
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f76dda2.exe File opened (read-only) \??\G: f76dda2.exe File opened (read-only) \??\H: f76dda2.exe File opened (read-only) \??\I: f76dda2.exe File opened (read-only) \??\J: f76dda2.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\f76e3ab f76dda2.exe File opened for modification C:\Windows\SYSTEM.INI f76dda2.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2360 f76dda2.exe 2360 f76dda2.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe Token: SeDebugPrivilege 2360 f76dda2.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2788 wrote to memory of 1720 2788 rundll32.exe 28 PID 2788 wrote to memory of 1720 2788 rundll32.exe 28 PID 2788 wrote to memory of 1720 2788 rundll32.exe 28 PID 2788 wrote to memory of 1720 2788 rundll32.exe 28 PID 2788 wrote to memory of 1720 2788 rundll32.exe 28 PID 2788 wrote to memory of 1720 2788 rundll32.exe 28 PID 2788 wrote to memory of 1720 2788 rundll32.exe 28 PID 1720 wrote to memory of 2360 1720 rundll32.exe 29 PID 1720 wrote to memory of 2360 1720 rundll32.exe 29 PID 1720 wrote to memory of 2360 1720 rundll32.exe 29 PID 1720 wrote to memory of 2360 1720 rundll32.exe 29 PID 2360 wrote to memory of 1060 2360 f76dda2.exe 17 PID 2360 wrote to memory of 1136 2360 f76dda2.exe 15 PID 2360 wrote to memory of 1180 2360 f76dda2.exe 14 PID 2360 wrote to memory of 2788 2360 f76dda2.exe 10 PID 2360 wrote to memory of 1720 2360 f76dda2.exe 28 PID 2360 wrote to memory of 1720 2360 f76dda2.exe 28 PID 1720 wrote to memory of 2800 1720 rundll32.exe 32 PID 1720 wrote to memory of 2800 1720 rundll32.exe 32 PID 1720 wrote to memory of 2800 1720 rundll32.exe 32 PID 1720 wrote to memory of 2800 1720 rundll32.exe 32 PID 2360 wrote to memory of 1060 2360 f76dda2.exe 17 PID 2360 wrote to memory of 1136 2360 f76dda2.exe 15 PID 2360 wrote to memory of 1180 2360 f76dda2.exe 14 PID 2360 wrote to memory of 2800 2360 f76dda2.exe 32 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76dda2.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.bf0252fb37b0ea288eb95f7a1efab790.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.bf0252fb37b0ea288eb95f7a1efab790.dll,#12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\f76dda2.exeC:\Users\Admin\AppData\Local\Temp\f76dda2.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2360
-
-
C:\Users\Admin\AppData\Local\Temp\f76f538.exeC:\Users\Admin\AppData\Local\Temp\f76f538.exe3⤵
- Executes dropped EXE
PID:2800
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1180
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1136
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1060
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5db1af904d9e9fb4b76fd4df6de08899a
SHA1c8dce04f015b3dbcc1b8327cbac33019af86d25f
SHA2562a8b3e1bfcf42a04156b3cfab9256c9720541bd059f3ec38c6fc15aa3a550797
SHA512be59925891e6d50ad8f9b735dba09d892f13eeb30385e0ac42a17b6352a6418069f103735df00b05464ce991bc2b742b6628b3c2bd46858687a26531db190311
-
Filesize
97KB
MD5db1af904d9e9fb4b76fd4df6de08899a
SHA1c8dce04f015b3dbcc1b8327cbac33019af86d25f
SHA2562a8b3e1bfcf42a04156b3cfab9256c9720541bd059f3ec38c6fc15aa3a550797
SHA512be59925891e6d50ad8f9b735dba09d892f13eeb30385e0ac42a17b6352a6418069f103735df00b05464ce991bc2b742b6628b3c2bd46858687a26531db190311
-
Filesize
97KB
MD5db1af904d9e9fb4b76fd4df6de08899a
SHA1c8dce04f015b3dbcc1b8327cbac33019af86d25f
SHA2562a8b3e1bfcf42a04156b3cfab9256c9720541bd059f3ec38c6fc15aa3a550797
SHA512be59925891e6d50ad8f9b735dba09d892f13eeb30385e0ac42a17b6352a6418069f103735df00b05464ce991bc2b742b6628b3c2bd46858687a26531db190311
-
Filesize
97KB
MD5db1af904d9e9fb4b76fd4df6de08899a
SHA1c8dce04f015b3dbcc1b8327cbac33019af86d25f
SHA2562a8b3e1bfcf42a04156b3cfab9256c9720541bd059f3ec38c6fc15aa3a550797
SHA512be59925891e6d50ad8f9b735dba09d892f13eeb30385e0ac42a17b6352a6418069f103735df00b05464ce991bc2b742b6628b3c2bd46858687a26531db190311
-
Filesize
97KB
MD5db1af904d9e9fb4b76fd4df6de08899a
SHA1c8dce04f015b3dbcc1b8327cbac33019af86d25f
SHA2562a8b3e1bfcf42a04156b3cfab9256c9720541bd059f3ec38c6fc15aa3a550797
SHA512be59925891e6d50ad8f9b735dba09d892f13eeb30385e0ac42a17b6352a6418069f103735df00b05464ce991bc2b742b6628b3c2bd46858687a26531db190311
-
Filesize
97KB
MD5db1af904d9e9fb4b76fd4df6de08899a
SHA1c8dce04f015b3dbcc1b8327cbac33019af86d25f
SHA2562a8b3e1bfcf42a04156b3cfab9256c9720541bd059f3ec38c6fc15aa3a550797
SHA512be59925891e6d50ad8f9b735dba09d892f13eeb30385e0ac42a17b6352a6418069f103735df00b05464ce991bc2b742b6628b3c2bd46858687a26531db190311
-
Filesize
97KB
MD5db1af904d9e9fb4b76fd4df6de08899a
SHA1c8dce04f015b3dbcc1b8327cbac33019af86d25f
SHA2562a8b3e1bfcf42a04156b3cfab9256c9720541bd059f3ec38c6fc15aa3a550797
SHA512be59925891e6d50ad8f9b735dba09d892f13eeb30385e0ac42a17b6352a6418069f103735df00b05464ce991bc2b742b6628b3c2bd46858687a26531db190311