Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
18/03/2024, 12:51
General
-
Target
2024-03-18_debe02b168a4f89db695c83009709f02_magniber.exe
-
Size
1.4MB
-
MD5
debe02b168a4f89db695c83009709f02
-
SHA1
642b056532c1151162efd80a68995fcfb3b79091
-
SHA256
ca0a8c2ce9807265ba3e4946088370116d378850340d2e1a1798b5c55f6a7a3d
-
SHA512
d578371728cbff4c3e29eb2ac9effd18f3bd5956028c966f5e96025a319131800bd8f4da29c5df075bf8655da4f118c00d9c4db912150242f3142f015fb0b891
-
SSDEEP
24576:isFRhoq8oLxYGuzAGKFDuXNR2TGxTEcvC7V9qK7:fyo6xKFDuXA2TTIqK7
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 7 IoCs
-
UPX dump on OEP (original entry point) 10 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-03-18_debe02b168a4f89db695c83009709f02_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-18_debe02b168a4f89db695c83009709f02_magniber.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\{29A6BCFD-3B12-49F8-B7B6-108DEE197812}\2024-03-18_debe02b168a4f89db695c83009709f02_magniber.exeC:\Users\Admin\AppData\Local\Temp\{29A6BCFD-3B12-49F8-B7B6-108DEE197812}\2024-03-18_debe02b168a4f89db695c83009709f02_magniber.exe /q"C:\Users\Admin\AppData\Local\Temp\2024-03-18_debe02b168a4f89db695c83009709f02_magniber.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{29A6BCFD-3B12-49F8-B7B6-108DEE197812}" /IS_temp3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\explorer.exe4⤵
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5b929f960f5b50c1c3b0c17b0b421b12e
SHA1ba799af937cbc036fb4c87c1817f6e766913e10c
SHA256f169caed4fd4ef22ab973a1d10d61856b081831915babe6a34fa08f673281593
SHA5122247130c728d53c8118825b576d409d9b6f5566e71704f9e630fefbea559a887380dd412c6f6b3086eab17effe698f02672985a18166e8a7a4f37b7d952360ff
-
Filesize
1.3MB
MD58267d7dfe8aa852e94e17aadbf7fe14e
SHA18487559d818a768709503279850256a2094b28d1
SHA256dff72e719b51436ae5e7a941d2d26899fc8fd92b9dabb9429c0abcf8eec40acb
SHA51245a5150b1f44c8019eb7614d2d4eb8fb75819b828c9845c282d109d1247cd9940a9fc16979debff82f1ae09a3dad5ed0b611202327b216242b3a849b09028d04
-
Filesize
45KB
MD5d758053bf23874db94c075e627a185c1
SHA105f7d00d576901b2668af250b5486e8e6935ae82
SHA256246590cc94932ca84e3c88b09788815a7f42033bc14ebc08ed800b4e2f22eab5
SHA5129da1d67b594ea653cd1429dece68088a17f3da188ede140748fee21eed75d9d84e74d36360be5b363a6924aba7b8b4b9c5f583f8c6942e5916eca095438a0d48
-
Filesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
Filesize
780B
MD5ffdc7b55ac68ba602f3ab30af2c9c627
SHA1bce236cf37ec495b168ec24a4f35d505d2ee30ca
SHA256cd0c072358871020c40543fa518ff40d947b0c49b3a1c50935ce5420893275ce
SHA5124de171aae8aee902ec88b88043c0770705e9f8cdaf0779ff1173c6b97082df79b023a4fc1fbc8f94d1678ba0c8170363158219f01a90a315e5642c051adc33d4
-
Filesize
1.4MB
MD5debe02b168a4f89db695c83009709f02
SHA1642b056532c1151162efd80a68995fcfb3b79091
SHA256ca0a8c2ce9807265ba3e4946088370116d378850340d2e1a1798b5c55f6a7a3d
SHA512d578371728cbff4c3e29eb2ac9effd18f3bd5956028c966f5e96025a319131800bd8f4da29c5df075bf8655da4f118c00d9c4db912150242f3142f015fb0b891
-
Filesize
8KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
1.4MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
1.4MB
-
Filesize
16.7MB
-
Filesize
16.7MB