Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
06/07/2024, 01:19
Static task
static1
Behavioral task
behavioral1
Sample
278081c237457aae1adf9bf89b269490.dll
Resource
win7-20240220-en
General
-
Target
278081c237457aae1adf9bf89b269490.dll
-
Size
120KB
-
MD5
278081c237457aae1adf9bf89b269490
-
SHA1
925da4535f3fabf8a054c6c0becc373c1bdd44a9
-
SHA256
84a6053f02280f23936da10437d8c18f0bebe8ca481d08c165cfa74c8936685b
-
SHA512
287890a4032a99fdfd1d969f9a528d68c912446e0535a5a3d523d24a7d99c17ffadaeab16ea02c05f5ed291b3ad2c0a78086e762f221bcb7683c3006f112103c
-
SSDEEP
1536:t4pd3AWNyzemHOzGwsOf0ZONUpcZ5OMS2gRe5qHT76fR+G5fZcUMutiqPHEu+/Sd:m8Ozt4vc6r2gU5qHT7U+y7DrIA
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f7613fe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f7613fe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f7613fe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f763025.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f763025.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f763025.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7613fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f763025.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f763025.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f763025.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f763025.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7613fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7613fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f763025.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7613fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f763025.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f763025.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7613fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7613fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7613fe.exe -
Executes dropped EXE 3 IoCs
pid Process 1624 f7613fe.exe 2632 f7615d2.exe 360 f763025.exe -
Loads dropped DLL 6 IoCs
pid Process 2924 rundll32.exe 2924 rundll32.exe 2924 rundll32.exe 2924 rundll32.exe 2924 rundll32.exe 2924 rundll32.exe -
resource yara_rule behavioral1/memory/1624-21-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-14-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-15-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-17-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-19-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-13-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-22-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-20-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-18-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-16-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-62-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-63-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-64-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-65-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-66-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-80-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-81-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-99-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-100-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-103-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-102-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-105-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/1624-143-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/360-146-0x0000000000990000-0x0000000001A4A000-memory.dmp upx behavioral1/memory/360-195-0x0000000000990000-0x0000000001A4A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7613fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f763025.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7613fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f763025.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f7613fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f763025.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f763025.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7613fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7613fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7613fe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f763025.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7613fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f763025.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f763025.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7613fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f763025.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f7613fe.exe File opened (read-only) \??\G: f7613fe.exe File opened (read-only) \??\H: f7613fe.exe File opened (read-only) \??\I: f7613fe.exe File opened (read-only) \??\L: f7613fe.exe File opened (read-only) \??\M: f7613fe.exe File opened (read-only) \??\N: f7613fe.exe File opened (read-only) \??\J: f7613fe.exe File opened (read-only) \??\K: f7613fe.exe File opened (read-only) \??\O: f7613fe.exe File opened (read-only) \??\P: f7613fe.exe File opened (read-only) \??\E: f763025.exe File opened (read-only) \??\G: f763025.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f766519 f763025.exe File created C:\Windows\f76145b f7613fe.exe File opened for modification C:\Windows\SYSTEM.INI f7613fe.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1624 f7613fe.exe 1624 f7613fe.exe 360 f763025.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 1624 f7613fe.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe Token: SeDebugPrivilege 360 f763025.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2912 wrote to memory of 2924 2912 rundll32.exe 28 PID 2912 wrote to memory of 2924 2912 rundll32.exe 28 PID 2912 wrote to memory of 2924 2912 rundll32.exe 28 PID 2912 wrote to memory of 2924 2912 rundll32.exe 28 PID 2912 wrote to memory of 2924 2912 rundll32.exe 28 PID 2912 wrote to memory of 2924 2912 rundll32.exe 28 PID 2912 wrote to memory of 2924 2912 rundll32.exe 28 PID 2924 wrote to memory of 1624 2924 rundll32.exe 29 PID 2924 wrote to memory of 1624 2924 rundll32.exe 29 PID 2924 wrote to memory of 1624 2924 rundll32.exe 29 PID 2924 wrote to memory of 1624 2924 rundll32.exe 29 PID 1624 wrote to memory of 1040 1624 f7613fe.exe 17 PID 1624 wrote to memory of 1084 1624 f7613fe.exe 18 PID 1624 wrote to memory of 1092 1624 f7613fe.exe 19 PID 1624 wrote to memory of 1428 1624 f7613fe.exe 23 PID 1624 wrote to memory of 2912 1624 f7613fe.exe 27 PID 1624 wrote to memory of 2924 1624 f7613fe.exe 28 PID 1624 wrote to memory of 2924 1624 f7613fe.exe 28 PID 2924 wrote to memory of 2632 2924 rundll32.exe 30 PID 2924 wrote to memory of 2632 2924 rundll32.exe 30 PID 2924 wrote to memory of 2632 2924 rundll32.exe 30 PID 2924 wrote to memory of 2632 2924 rundll32.exe 30 PID 2924 wrote to memory of 360 2924 rundll32.exe 31 PID 2924 wrote to memory of 360 2924 rundll32.exe 31 PID 2924 wrote to memory of 360 2924 rundll32.exe 31 PID 2924 wrote to memory of 360 2924 rundll32.exe 31 PID 1624 wrote to memory of 1040 1624 f7613fe.exe 17 PID 1624 wrote to memory of 1084 1624 f7613fe.exe 18 PID 1624 wrote to memory of 1092 1624 f7613fe.exe 19 PID 1624 wrote to memory of 2632 1624 f7613fe.exe 30 PID 1624 wrote to memory of 2632 1624 f7613fe.exe 30 PID 1624 wrote to memory of 360 1624 f7613fe.exe 31 PID 1624 wrote to memory of 360 1624 f7613fe.exe 31 PID 360 wrote to memory of 1040 360 f763025.exe 17 PID 360 wrote to memory of 1084 360 f763025.exe 18 PID 360 wrote to memory of 1092 360 f763025.exe 19 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7613fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f763025.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1040
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1084
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\278081c237457aae1adf9bf89b269490.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\278081c237457aae1adf9bf89b269490.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\f7613fe.exeC:\Users\Admin\AppData\Local\Temp\f7613fe.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1624
-
-
C:\Users\Admin\AppData\Local\Temp\f7615d2.exeC:\Users\Admin\AppData\Local\Temp\f7615d2.exe4⤵
- Executes dropped EXE
PID:2632
-
-
C:\Users\Admin\AppData\Local\Temp\f763025.exeC:\Users\Admin\AppData\Local\Temp\f763025.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:360
-
-
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1092
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1428
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD561ce88ec2646f852012ef51ce3b108a0
SHA12657434441875bead25e62f71b7ea2d32a38fee4
SHA256f172a972ac7c82967463ce5c6fbe275b34d84456c7c008ea07c28e198b7815e8
SHA512855b26aad0fa425494703b3c50f071f8932f4fb4453795f4f86befdebb815c45771ac8ecb0062573362d76c5881d570bced7662f61e143fe2e759e020c6989f6
-
Filesize
97KB
MD5d7ceab29bb3450d305e50a7b701a694b
SHA146021d7b5772b352ea015603aeac533d1874099d
SHA256ad7dd9926ae32146dcf161a680f28c10ef6d18031f4a7d0c9fd8fb3a1ac49af9
SHA512aa29a49ca617815930ee8a79b8d1af22eedffd10984639b13efdb8ae6ea337aa76cc7c22cf951f9ae06b5801867908887bd703a54e73462e0fc5daba7219afad