Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
29/12/2023, 19:35
General
-
Target
01e6b8c6f9a783a38e5db34d0fac0786.exe
-
Size
163KB
-
MD5
01e6b8c6f9a783a38e5db34d0fac0786
-
SHA1
c47e0a1754a09d3488defc1f60bcf380d4befea1
-
SHA256
e194c269292c77ec647d41b210f124caaf9a4e7f921be2b5e5568637bb8ca829
-
SHA512
0baec11b16bfe4528e0a094510d932244786c0a938184cc4729cb69cbacc1a47f9fa17f9ca3026db460b3567f1dd5151871e94f790d49bbcb0b3b9679bb74154
-
SSDEEP
3072:g887lQUdaQCFsISRmnHgUb0lNrGSHrOLbHg9PzZV4vK+OmnW:g83UsNqCSHiA9LZV4vK+dn
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 4 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 28 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\01e6b8c6f9a783a38e5db34d0fac0786.exe"C:\Users\Admin\AppData\Local\Temp\01e6b8c6f9a783a38e5db34d0fac0786.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Users\Admin\AppData\Local\Temp\01e6b8c6f9a783a38e5db34d0fac0786.exe"C:\Users\Admin\AppData\Local\Temp\01e6b8c6f9a783a38e5db34d0fac0786.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Sykwko.exe"C:\Users\Admin\AppData\Roaming\Sykwko.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
C:\Users\Admin\AppData\Roaming\Sykwko.exe"C:\Users\Admin\AppData\Roaming\Sykwko.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1904 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD5356fdc546ff13c060f0f988de424b3e7
SHA1786fb887ffc6f56c88bc5284c9078e4e5f4361f6
SHA256f76eec51825a8a57595c8d5ab9d212d0dc491b395debdfaee678d24d4529849f
SHA51241ec34e7923b319a3e70cb399f1336e694042c0979fea61b27fdef22a7b8ed63718381a7c62cbe4c6d82a5c69a5331785e1ebec8fd4503dee92c496c38c691a2
-
Filesize
344B
MD5f503672df9ba8f1362b4367e31850215
SHA192eb730482730bea14de2b5d2d21a198434e48d3
SHA2566c428c5b657514609cdc5bb074533956b49098266eb7c9cf4115b2c5b31a215a
SHA512ed55ebd50bfff8885e1666ab0d938da02f19b4e220d2046a1ebc5eee6928863a2ced49b0cd16b219893e49e06a66996d4c35119f3737084737302a35422829eb
-
Filesize
344B
MD54dc36dd38dc0ad6b24bcf08e18e59dae
SHA12162df1fb6ca636d300b9cce571c8285043c3530
SHA256b5df052b5b063853be08a0e1730bf2d720a803fd9d61ee077a0a948a4bbf8389
SHA5129c1046780e48f7b50149111ecd87c2408a50494861dbb3d0c87ec3a1a78f90aa84b9f0804b387c7214bf6ec92a671b109c9c6c85e20818b6930be3280cf97a67
-
Filesize
344B
MD538d1eb805cc8e97b6e3f656cfa0f83c5
SHA1154c492d9ab271b5ef3e6d994a0cc3f8cc788741
SHA256dd6c402ba47e4f4ba8e66394836c8b90096538079fbbdb793c9523d883e1f9fe
SHA512e555f4e3de9c4170b837a187d1c44b99b7890d5c06b9436b941ab1f91d683b8e589ca693e3d996161ae8aa77f43870b500d415ed0d51cf2b0a9fba6270ac9f89
-
Filesize
344B
MD5d963d0f7cc2e620e50f1b7c0199b15a5
SHA1e2dec4ec891f383e246dad3c199e8b813faee433
SHA256e6683e2317ac260170dc5d6148529d23ccd3b9586b9b7dfb3404d08e77ca3a26
SHA5125993efc594a17db68cc2708ea5e96a5a1e0198abf62f6606f5a6e09df8bbbb07f3f4efdfd0c0984f3b2a1276eb195c36dc5067829ef06ecf67d7e91be18fe289
-
Filesize
344B
MD5be86ce343b0810683d405f4afa135b5c
SHA13fd4c1942c1cf6c4c26ed07d4ddcfabf17ae359e
SHA25692d9591db33e0a12ebdcf7eb37a736aaf896fbff7945e57718fa4bea01794165
SHA512eb4bec19c5d87105ef94f7372a8942761943ecccbbc86747ff983ab2e8df7c76e86db668a6618ec38d3a1449707e8c106eef305f462b5a28108cbd0bb0b6d5d1
-
Filesize
344B
MD5eb651876b7b99ba018b56ebf2f3ef2d6
SHA18bbf137870a76f7c71b4611972652afb53e94908
SHA256be52999b6539b5faee31665b07190ae7430276e3cbb4e9c766314bf7f463280d
SHA5122bce70540a96ab0b2c1a335486107b8fc94ee3db51719a4dbd28d40158528b331c2bbca6269f714cda148f369bce6ef3ff70a46285a4f5b1734fdeb016460e1f
-
Filesize
344B
MD55d6b37f5db189e406911c6e653ad4e1f
SHA17460a71adc22c4a61d12326f0fc8a6db78039d57
SHA256ccc061550f85a1946a70790ed8540fcc2f197cdf11458da58d9e1c075d6a0084
SHA512003aa2625dec77a3d2cb6a222f5c423c758bc872f64d96e51b7dabb4f48273d93708da744ea79237afe182f7f8eca6a9e32eefb2af5df854b483bf006664c6df
-
Filesize
344B
MD58f7fb694dd106b0e684284bc72fa18b1
SHA1c0b0ab8ec4a112856e54b52af2f2f61cef95df3d
SHA256b0baace2bbc81ebd5dfd60542eea61ea8ad7aa109cb1267a1b68c0321ef37100
SHA512402579aacef66ad95fe0d2d4dfe4f218342c349ca5cc132d5a2b0fc0916176c9d23abc340e94943ee40fcde40b8c47ffd2fe12fba76c1ed364b21d99e79b33d9
-
Filesize
344B
MD5941f7b2609915b1ffece5aea369240d0
SHA1d707a95cab4d263208ec96c7a5341b49b34e27d2
SHA256bd93f3a0c732589863c27bae5002b5609fd9024472b0e944677dd5f1de098d7d
SHA51212f24e7a787c86dc1110c71294114c0fa2dc9d42bec04bfc40c4dcec4cc3f2798d7a3f4f44c44498e6a383fb6857b11e5322c98341c8991926dddd330ea90df7
-
Filesize
163KB
MD501e6b8c6f9a783a38e5db34d0fac0786
SHA1c47e0a1754a09d3488defc1f60bcf380d4befea1
SHA256e194c269292c77ec647d41b210f124caaf9a4e7f921be2b5e5568637bb8ca829
SHA5120baec11b16bfe4528e0a094510d932244786c0a938184cc4729cb69cbacc1a47f9fa17f9ca3026db460b3567f1dd5151871e94f790d49bbcb0b3b9679bb74154
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
257B
MD5759dd8f3c2379cd4dd478297d750c560
SHA16200acc19a6b852cf09aed51c1db6413d8ee26be
SHA256c5420147b2ddf7b15601ee79a23263f252745a8b2daeba0f724613574e5dbbcd
SHA512f002bba2715916f56c20e1bff4b7baa16949e1b872919927bf0466693d04704d832559c34d7492e9d45ed284c9562c078ef84de1d72b58dfe60deae991d30752
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
180KB
-
Filesize
16.6MB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
180KB
-
Filesize
164KB
-
Filesize
4KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
16.6MB
-
Filesize
180KB
-
Filesize
16.6MB
-
Filesize
180KB
-
Filesize
16.6MB
-
Filesize
180KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
164KB
-
Filesize
164KB