Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
27s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
15/07/2024, 07:10
General
-
Target
a4823e7373d249fa9e1863519811f150N.dll
-
Size
120KB
-
MD5
a4823e7373d249fa9e1863519811f150
-
SHA1
2a9642310f6e005d01bf7f8ca292df39d780f8ea
-
SHA256
1a30cddaee9769a65035e903875cd3a027bb51fbc5966d84caa58ad34cc74847
-
SHA512
7fc345ee0db83deb244d5b824f6c6705ed190d9ca3dc7722175e9aa05264b34bef446e38f1ecc712432b7570eb36fc0cc14b858103af1970fb88a575e1ef84c1
-
SSDEEP
3072:VkhWKfycRn3i0+x70hWCuVl/+ckztD7cosp:xKfjRnSp70wmRztD7s
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a4823e7373d249fa9e1863519811f150N.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a4823e7373d249fa9e1863519811f150N.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7721a4.exeC:\Users\Admin\AppData\Local\Temp\f7721a4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f7723b6.exeC:\Users\Admin\AppData\Local\Temp\f7723b6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f773c84.exeC:\Users\Admin\AppData\Local\Temp\f773c84.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD59c258f21cffc250f6e3f70f28b13a483
SHA1e63b95d8a578dc3da66d06226c97b91b0b645392
SHA25662630ef7f3dd39491da99d9cf249f88a1397aafaa521e8202e6464500acd802e
SHA512a500c1e56cb08ce0974758862094cc3285a64d1ff31aa7e80509f756478d189fc883a1cd82ff3dce494675bd7b8eb13b54afb8b37d53904c24b9e1fb09d9a586
-
Filesize
97KB
MD57b1f7f5b5757aa303f7b4696e78f799f
SHA1d4e83829c4773aaf3b442fcb70179dfc87bad040
SHA25668a8081558b51cecfd7f6166f454ad4c071956c1ba1a83b1bea17bbbe58a6cee
SHA512a8b3c58fb49a506b36a72b39c9cd548d62ac777d701494a69f9c0fd0b3ba9758fbcf20a3dc8b531f3ca0bd6976ca62c1bf4f480d5740dcf0eb8935ebf243a362
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB