Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
22/10/2023, 17:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe
Resource
win7-20231020-en
windows7-x64
16 signatures
150 seconds
General
-
Target
NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe
-
Size
440KB
-
MD5
8d0f10a9ab84ce2f87e2c3342adb6ec0
-
SHA1
b9b8979d1d907eca26a14f81880e59dc7bbfaef0
-
SHA256
f0a9204ae936d9e765bec6ed87cdf94ae16dabbcc00cbda1dc72a5fe555d3478
-
SHA512
796be450c9fd637744e01c9d0d8caef034464371ecd07f6049a29e96de0ef4927920147b3001a553df0d0733443f12a72c526e5106544f384aef5ea0f3042030
-
SSDEEP
3072:uMs3fGBjN1Jrpi0kOBzleK6VU6SaQFQMg6WNjjeOi04Qy/cddX3rZQcVi4Kky:un3MN1JlveK6VUsQOjTjuR/cDZQcVW
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\hidefileext = "1" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe -
resource yara_rule behavioral2/memory/3968-1-0x0000000002AD0000-0x0000000003B8A000-memory.dmp upx behavioral2/memory/3968-5-0x0000000002AD0000-0x0000000003B8A000-memory.dmp upx behavioral2/memory/3968-6-0x0000000002AD0000-0x0000000003B8A000-memory.dmp upx behavioral2/memory/3968-9-0x0000000002AD0000-0x0000000003B8A000-memory.dmp upx behavioral2/memory/3968-16-0x0000000002AD0000-0x0000000003B8A000-memory.dmp upx behavioral2/memory/3968-27-0x0000000002AD0000-0x0000000003B8A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe File created C:\windows\Dos.txt NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe File opened for modification C:\windows\Dos.txt NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe File created C:\Windows\e576ee6 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe Token: SeDebugPrivilege 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3968 wrote to memory of 776 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 85 PID 3968 wrote to memory of 780 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 84 PID 3968 wrote to memory of 1016 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 9 PID 3968 wrote to memory of 2328 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 68 PID 3968 wrote to memory of 2352 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 67 PID 3968 wrote to memory of 2544 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 64 PID 3968 wrote to memory of 3252 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 57 PID 3968 wrote to memory of 3380 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 56 PID 3968 wrote to memory of 3612 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 55 PID 3968 wrote to memory of 3704 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 29 PID 3968 wrote to memory of 3820 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 28 PID 3968 wrote to memory of 3904 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 54 PID 3968 wrote to memory of 4024 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 53 PID 3968 wrote to memory of 4976 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 30 PID 3968 wrote to memory of 4624 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 32 PID 3968 wrote to memory of 4824 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 33 PID 3968 wrote to memory of 2832 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 41 PID 3968 wrote to memory of 3168 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 37 PID 3968 wrote to memory of 5076 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 36 PID 3968 wrote to memory of 4216 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 35 PID 3968 wrote to memory of 2116 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 88 PID 3968 wrote to memory of 2116 3968 NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe 88 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3820
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3704
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4976
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4624
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4824
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4216
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:5076
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:3168
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4024
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3904
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3380
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.8d0f10a9ab84ce2f87e2c3342adb6ec0.exe"2⤵
- Modifies firewall policy service
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3968 -
C:\windows\explorer.exeC:\windows\explorer.exe3⤵
- Modifies registry class
PID:2116
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2352
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2328
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1