Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
-
submitted
28/11/2023, 08:12
General
-
Target
9bbb3527fa49e57aedd8740130a1ea1da320e1a8ce768bc1e884010273b64be7.exe
-
Size
1.5MB
-
MD5
fb4eb25f8dc7685292534db502a6405f
-
SHA1
fecb32a482ff3a841f99fd44c034e28ea477bea4
-
SHA256
9bbb3527fa49e57aedd8740130a1ea1da320e1a8ce768bc1e884010273b64be7
-
SHA512
35ed8f546f9635b986cd85dca51248021f981cfa15d91deb761c7fadd0bd961f419d48ec50ace8dd7511def9a7563a4d7e9001df1ffc411c0fe69273f3298d02
-
SSDEEP
24576:YLFZeV9rUW3uRIgRNMj88q9s14+6fsqetItnwn56fTT3RO9q:2FgVIRIgRNMY8qq1bSsqEw/3x
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\9bbb3527fa49e57aedd8740130a1ea1da320e1a8ce768bc1e884010273b64be7.exe"C:\Users\Admin\AppData\Local\Temp\9bbb3527fa49e57aedd8740130a1ea1da320e1a8ce768bc1e884010273b64be7.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\9bbb3527fa49e57aedd8740130a1ea1da320e1a8ce768bc1e884010273b64be7.exe"C:\Users\Admin\AppData\Local\Temp\9bbb3527fa49e57aedd8740130a1ea1da320e1a8ce768bc1e884010273b64be7.exe" --ws3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD5c02ac6a3a2cac59fbbaa6846c447b906
SHA1132c73818eeab0ad92284e937aebc890da3d83ae
SHA256b85b496fe8432ba6a1ce549a63cf6d26da251375f0f0c35b724b452dc7826fae
SHA5121b18f0dec7228a2c3cc5db97f5e72122b649f4c4253cfebb52174842adfb17fe8f9da38a7cb9bf142efa9895fddc247117a55a04f17398039974fe0c77305bc5
-
Filesize
1.1MB
MD52d9d8e898c053f9ba2c4a042ea624fbb
SHA14d0a7fe523e08982f5a683011cfee0b5921c35a2
SHA256cff0ef6c6709c6b3eb9e0973281c920f1d2f196ed06a54391e2d899d4f9bbe49
SHA5123da052de938fe0ef44ddbd08383468af649795e04dee9302327b8be7d5a2e761485cb21f96a2ed82b6ec84df9699daf99ab73b7e736c6264035168d18cfd39d1
-
Filesize
257B
MD534efd89f1723306c9c72ed95c52f3313
SHA1187fffe357a7027848dc8b66e57345f48751e294
SHA25694750d717d53c5039273b0701fda58ba4d8fbff17ba085f9824b95e32348b5aa
SHA51221f213f060d90f228ffee777914871c62cf6c1528376044efff88def065730a626c59b029c7dbd4fec51bdcd1818d405a1a70b795289467943222123a2ff3180
-
Filesize
97KB
MD5d95ce62212b183b44a7dde7b1c0ef341
SHA19c8716322445450ed6362003e4dce55cdf3232a7
SHA256ce6171a72a2e868b6efaa94ddd86bf5ba8f2e5bc50fc5826ee0dd19024d1e376
SHA5128a447dd63b17a0843aa7074bf7c97d06507d5797581409495891e97d82aeec2c7f8df88be2cd4d8cf87af4ff07fbf6dae04d697052b9c3074612bf06a45fc595
-
Filesize
8KB
-
Filesize
1.6MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
64KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
1.6MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
1.6MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB