Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 16:21
Behavioral task
behavioral1
Sample
7c4829300063c5a22db09f463e93ab8b.exe
Resource
win7-20231129-en
3 signatures
150 seconds
General
-
Target
7c4829300063c5a22db09f463e93ab8b.exe
-
Size
177KB
-
MD5
7c4829300063c5a22db09f463e93ab8b
-
SHA1
0710e5561af076b041420f691e970987a7812f2c
-
SHA256
6aebb1315f0b543b83bff51a2e87049a59015c8bb69eff5a8ed0133d554070a0
-
SHA512
8255d9921ef146a42bdc1b1ea5ee18557312b4f38f3554b7fe6441f2bd47cf9932b97312e5342548ca6fbf0e5ce531ba5b77d6fd1caea843e8499c88aff1314e
-
SSDEEP
3072:PchRJgXkQbQJWB1+VK774VHRoJ00s4mVKi5QJszehcDdj5WYEgZpe:PchRJ60074FRoJkKi5Qlhcp8gy
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7c4829300063c5a22db09f463e93ab8b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7c4829300063c5a22db09f463e93ab8b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7c4829300063c5a22db09f463e93ab8b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7c4829300063c5a22db09f463e93ab8b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7c4829300063c5a22db09f463e93ab8b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7c4829300063c5a22db09f463e93ab8b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 7c4829300063c5a22db09f463e93ab8b.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 7c4829300063c5a22db09f463e93ab8b.exe -
Disables Task Manager via registry modification
-
resource yara_rule behavioral2/memory/1620-0-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/1620-1-0x0000000002340000-0x0000000003373000-memory.dmp upx behavioral2/memory/1620-3-0x0000000002340000-0x0000000003373000-memory.dmp upx behavioral2/memory/1620-24-0x0000000002340000-0x0000000003373000-memory.dmp upx behavioral2/memory/1620-44-0x0000000000400000-0x0000000000433000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7c4829300063c5a22db09f463e93ab8b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7c4829300063c5a22db09f463e93ab8b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 7c4829300063c5a22db09f463e93ab8b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7c4829300063c5a22db09f463e93ab8b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7c4829300063c5a22db09f463e93ab8b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7c4829300063c5a22db09f463e93ab8b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 7c4829300063c5a22db09f463e93ab8b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7c4829300063c5a22db09f463e93ab8b.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 7c4829300063c5a22db09f463e93ab8b.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1620 7c4829300063c5a22db09f463e93ab8b.exe 1620 7c4829300063c5a22db09f463e93ab8b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe Token: SeDebugPrivilege 1620 7c4829300063c5a22db09f463e93ab8b.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1620 wrote to memory of 772 1620 7c4829300063c5a22db09f463e93ab8b.exe 84 PID 1620 wrote to memory of 776 1620 7c4829300063c5a22db09f463e93ab8b.exe 83 PID 1620 wrote to memory of 1020 1620 7c4829300063c5a22db09f463e93ab8b.exe 8 PID 1620 wrote to memory of 2516 1620 7c4829300063c5a22db09f463e93ab8b.exe 51 PID 1620 wrote to memory of 2524 1620 7c4829300063c5a22db09f463e93ab8b.exe 50 PID 1620 wrote to memory of 2636 1620 7c4829300063c5a22db09f463e93ab8b.exe 48 PID 1620 wrote to memory of 3248 1620 7c4829300063c5a22db09f463e93ab8b.exe 38 PID 1620 wrote to memory of 3508 1620 7c4829300063c5a22db09f463e93ab8b.exe 37 PID 1620 wrote to memory of 3676 1620 7c4829300063c5a22db09f463e93ab8b.exe 36 PID 1620 wrote to memory of 3804 1620 7c4829300063c5a22db09f463e93ab8b.exe 35 PID 1620 wrote to memory of 3880 1620 7c4829300063c5a22db09f463e93ab8b.exe 12 PID 1620 wrote to memory of 3980 1620 7c4829300063c5a22db09f463e93ab8b.exe 13 PID 1620 wrote to memory of 4100 1620 7c4829300063c5a22db09f463e93ab8b.exe 34 PID 1620 wrote to memory of 1996 1620 7c4829300063c5a22db09f463e93ab8b.exe 32 PID 1620 wrote to memory of 4844 1620 7c4829300063c5a22db09f463e93ab8b.exe 22 PID 1620 wrote to memory of 384 1620 7c4829300063c5a22db09f463e93ab8b.exe 85 PID 1620 wrote to memory of 3480 1620 7c4829300063c5a22db09f463e93ab8b.exe 87 PID 1620 wrote to memory of 1960 1620 7c4829300063c5a22db09f463e93ab8b.exe 86 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7c4829300063c5a22db09f463e93ab8b.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3880
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3980
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1996
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4100
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3804
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3508
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3248
-
C:\Users\Admin\AppData\Local\Temp\7c4829300063c5a22db09f463e93ab8b.exe"C:\Users\Admin\AppData\Local\Temp\7c4829300063c5a22db09f463e93ab8b.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1620
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2524
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2516
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:384
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1960
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3480