Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
54s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08/01/2024, 20:07
Static task
static1
Behavioral task
behavioral1
Sample
a23bb58ae7ffb23c1f5b877d87978b10.exe
Resource
win7-20231215-en
General
-
Target
a23bb58ae7ffb23c1f5b877d87978b10.exe
-
Size
1012KB
-
MD5
a23bb58ae7ffb23c1f5b877d87978b10
-
SHA1
2d3a5f3894325fa1553507c15be3fcc34eec9cca
-
SHA256
969d86f872448654ec18e98d7277ff124b7cc26f515008a954bd21d10b35a586
-
SHA512
dd185942e486343c479a3f87b37175893d5fd51aeb7d721959f582560c3fe87fcbca614f491b8fa90fb318053dee62a546ae8eac7ba25bdcc3cd3ee92990ec10
-
SSDEEP
12288:k1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0INK4h1oWxJpcEi0/3IWV//7cSdbuPcCn:k1/aGLDCM4D8ayGM0R3o8/HuPfDQy
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" a23bb58ae7ffb23c1f5b877d87978b10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" a23bb58ae7ffb23c1f5b877d87978b10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" a23bb58ae7ffb23c1f5b877d87978b10.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a23bb58ae7ffb23c1f5b877d87978b10.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a23bb58ae7ffb23c1f5b877d87978b10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a23bb58ae7ffb23c1f5b877d87978b10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a23bb58ae7ffb23c1f5b877d87978b10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" a23bb58ae7ffb23c1f5b877d87978b10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a23bb58ae7ffb23c1f5b877d87978b10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" a23bb58ae7ffb23c1f5b877d87978b10.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" a23bb58ae7ffb23c1f5b877d87978b10.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2752 hvatjw.exe -
Loads dropped DLL 2 IoCs
pid Process 2056 a23bb58ae7ffb23c1f5b877d87978b10.exe 2056 a23bb58ae7ffb23c1f5b877d87978b10.exe -
resource yara_rule behavioral1/memory/2056-1-0x0000000001F90000-0x000000000301E000-memory.dmp upx behavioral1/memory/2056-11-0x0000000001F90000-0x000000000301E000-memory.dmp upx behavioral1/memory/2056-13-0x0000000001F90000-0x000000000301E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a23bb58ae7ffb23c1f5b877d87978b10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a23bb58ae7ffb23c1f5b877d87978b10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a23bb58ae7ffb23c1f5b877d87978b10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" a23bb58ae7ffb23c1f5b877d87978b10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a23bb58ae7ffb23c1f5b877d87978b10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" a23bb58ae7ffb23c1f5b877d87978b10.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc a23bb58ae7ffb23c1f5b877d87978b10.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\hvatjw.exe" hvatjw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a23bb58ae7ffb23c1f5b877d87978b10.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI a23bb58ae7ffb23c1f5b877d87978b10.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2752 2056 a23bb58ae7ffb23c1f5b877d87978b10.exe 21 PID 2056 wrote to memory of 2752 2056 a23bb58ae7ffb23c1f5b877d87978b10.exe 21 PID 2056 wrote to memory of 2752 2056 a23bb58ae7ffb23c1f5b877d87978b10.exe 21 PID 2056 wrote to memory of 2752 2056 a23bb58ae7ffb23c1f5b877d87978b10.exe 21 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a23bb58ae7ffb23c1f5b877d87978b10.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a23bb58ae7ffb23c1f5b877d87978b10.exe"C:\Users\Admin\AppData\Local\Temp\a23bb58ae7ffb23c1f5b877d87978b10.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2056 -
C:\ProgramData\hvatjw.exe"C:\ProgramData\hvatjw.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5743df1c7d12ede5e0c1186013671622d
SHA118de64b392722afd29a6251055119cc7eae47b4f
SHA256da6586c676f94a21f5c56238943190ddd2b0ccda7d80f1b7708db4c3f1e19ba5
SHA512d8e53ac7059f2c5bd8270d5972bceba0d4350dbbb90e9a0ee9b39debc95fcaae729c40de961c001773f2a197e5079bae7948cbd3df3e35f92072fb11ab7fb1fb
-
Filesize
5KB
MD556d7ed3bffcf26bc7f91a1c0e35adc25
SHA124c4348bce35627e385585362ad6e909260dcd20
SHA256de071b82d3c99b09990c03963c272c6fc3aba7cf03d53d32a827edab1d787fbc
SHA5127d8202fc93567c65d2d62ca7b2a4bd7de720a0f8907297afb48ce0863c3811582caeb3976d512a2bfc1db0148b2a9e0e5dd07d135704406129af9e4af1a778e0
-
Filesize
32KB
MD5694be70230be78b07d1e8e9e72c13187
SHA1d162447efcc7ae8cf85d222c3f6f84deb701852f
SHA2565f7395445194115d5741fbf824405176a60ece98df69fa980143f562bc181baa
SHA51228e74ee1994de550bf4826bc954f3745c164c0cd1f0837b5f53d0f48edaee2ad62d39fd319a295793d07db4c51bf6b051ad379efe374b6a063db406e0937e774
-
Filesize
1KB
MD52ff629b5d3035af0edc4ae85ecc127e9
SHA1871aeca2177b474eb2af17d6efb7c9543c36190f
SHA2565e28adea167f45103bf38a69fad433137f8c11da21f2c455b0c85d0b335ea0a7
SHA51271432462e906346f72647228a6b2b653629b539b8c025f69fd6315f62ae0d512b96c624c62139676882991176034985237c8cb0a044b2b44e45059eaf7e2f7be
-
Filesize
16KB
MD509c30dccd8661e6b24a1f8d2731d652b
SHA16d996121c1a2bf1288aad69e3906dd0e8065f519
SHA25615553b3cdfcae8b4d45bf5c11c32f335f00876e87bce6793a0d9e8b10bff17ed
SHA51298db06f4a92f77ad6e94a137123f56896712da0260f208c015099eac4f8021063633294fade70a9a58ffc5037b709017d138d5df0e22bf2e30281481f7ace6e4