Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 10:08
Static task
static1
Behavioral task
behavioral1
Sample
b56b2244d3154c22b8155e1f332a8c49435fb9b62d0efbf48c85c54c0c65ac33.dll
Resource
win7-20240704-en
General
-
Target
b56b2244d3154c22b8155e1f332a8c49435fb9b62d0efbf48c85c54c0c65ac33.dll
-
Size
120KB
-
MD5
c08abe389d2af88b03966ca3b8187660
-
SHA1
6e220abbfac9b033296fab2668e8a22ebf5f29de
-
SHA256
b56b2244d3154c22b8155e1f332a8c49435fb9b62d0efbf48c85c54c0c65ac33
-
SHA512
47d4958f07ce85dca5c3d5e2bb436349e5757cb7d39396a8cf4a679cace7dc7cda04db3b5c1c70d5cca54d527ca4f978c021c8ecaae956a104e7aee4e54fccf8
-
SSDEEP
1536:R6vLu4JPG5XN9y8PvX2MGl2Q9EOj3rvq0NvAXCpeOVB/crJwUHdxMZkyl5b:MvC4JufBvGAQ9FVIXr8/crJBDixl
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f768823.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f768823.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f768823.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76864f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76864f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76864f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f768823.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76864f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76864f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76864f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76864f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76864f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f768823.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f768823.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76864f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76864f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f768823.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f768823.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f768823.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f768823.exe -
Executes dropped EXE 3 IoCs
pid Process 2388 f76864f.exe 2660 f768823.exe 2488 f76a219.exe -
Loads dropped DLL 6 IoCs
pid Process 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe -
resource yara_rule behavioral1/memory/2388-18-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-14-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-13-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-19-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-17-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-15-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-22-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-20-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-16-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-21-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-62-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-61-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-63-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-64-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-65-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-67-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-68-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-82-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-84-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-86-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-87-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2388-151-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2660-190-0x0000000000930000-0x00000000019EA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76864f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f768823.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f768823.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f768823.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76864f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76864f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76864f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f768823.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f768823.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76864f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76864f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76864f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f768823.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f768823.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76864f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f768823.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: f76864f.exe File opened (read-only) \??\M: f76864f.exe File opened (read-only) \??\N: f76864f.exe File opened (read-only) \??\S: f76864f.exe File opened (read-only) \??\G: f76864f.exe File opened (read-only) \??\H: f76864f.exe File opened (read-only) \??\O: f76864f.exe File opened (read-only) \??\R: f76864f.exe File opened (read-only) \??\I: f76864f.exe File opened (read-only) \??\P: f76864f.exe File opened (read-only) \??\Q: f76864f.exe File opened (read-only) \??\E: f76864f.exe File opened (read-only) \??\K: f76864f.exe File opened (read-only) \??\L: f76864f.exe File opened (read-only) \??\T: f76864f.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f7686bd f76864f.exe File opened for modification C:\Windows\SYSTEM.INI f76864f.exe File created C:\Windows\f76d681 f768823.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2388 f76864f.exe 2388 f76864f.exe 2660 f768823.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2388 f76864f.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe Token: SeDebugPrivilege 2660 f768823.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2912 wrote to memory of 2352 2912 rundll32.exe 30 PID 2912 wrote to memory of 2352 2912 rundll32.exe 30 PID 2912 wrote to memory of 2352 2912 rundll32.exe 30 PID 2912 wrote to memory of 2352 2912 rundll32.exe 30 PID 2912 wrote to memory of 2352 2912 rundll32.exe 30 PID 2912 wrote to memory of 2352 2912 rundll32.exe 30 PID 2912 wrote to memory of 2352 2912 rundll32.exe 30 PID 2352 wrote to memory of 2388 2352 rundll32.exe 31 PID 2352 wrote to memory of 2388 2352 rundll32.exe 31 PID 2352 wrote to memory of 2388 2352 rundll32.exe 31 PID 2352 wrote to memory of 2388 2352 rundll32.exe 31 PID 2388 wrote to memory of 1096 2388 f76864f.exe 19 PID 2388 wrote to memory of 1152 2388 f76864f.exe 20 PID 2388 wrote to memory of 1196 2388 f76864f.exe 21 PID 2388 wrote to memory of 1388 2388 f76864f.exe 24 PID 2388 wrote to memory of 2912 2388 f76864f.exe 29 PID 2388 wrote to memory of 2352 2388 f76864f.exe 30 PID 2388 wrote to memory of 2352 2388 f76864f.exe 30 PID 2352 wrote to memory of 2660 2352 rundll32.exe 32 PID 2352 wrote to memory of 2660 2352 rundll32.exe 32 PID 2352 wrote to memory of 2660 2352 rundll32.exe 32 PID 2352 wrote to memory of 2660 2352 rundll32.exe 32 PID 2352 wrote to memory of 2488 2352 rundll32.exe 33 PID 2352 wrote to memory of 2488 2352 rundll32.exe 33 PID 2352 wrote to memory of 2488 2352 rundll32.exe 33 PID 2352 wrote to memory of 2488 2352 rundll32.exe 33 PID 2388 wrote to memory of 1096 2388 f76864f.exe 19 PID 2388 wrote to memory of 1152 2388 f76864f.exe 20 PID 2388 wrote to memory of 1196 2388 f76864f.exe 21 PID 2388 wrote to memory of 1388 2388 f76864f.exe 24 PID 2388 wrote to memory of 2660 2388 f76864f.exe 32 PID 2388 wrote to memory of 2660 2388 f76864f.exe 32 PID 2388 wrote to memory of 2488 2388 f76864f.exe 33 PID 2388 wrote to memory of 2488 2388 f76864f.exe 33 PID 2660 wrote to memory of 1096 2660 f768823.exe 19 PID 2660 wrote to memory of 1152 2660 f768823.exe 20 PID 2660 wrote to memory of 1196 2660 f768823.exe 21 PID 2660 wrote to memory of 1388 2660 f768823.exe 24 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76864f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f768823.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1096
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1152
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b56b2244d3154c22b8155e1f332a8c49435fb9b62d0efbf48c85c54c0c65ac33.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b56b2244d3154c22b8155e1f332a8c49435fb9b62d0efbf48c85c54c0c65ac33.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\f76864f.exeC:\Users\Admin\AppData\Local\Temp\f76864f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2388
-
-
C:\Users\Admin\AppData\Local\Temp\f768823.exeC:\Users\Admin\AppData\Local\Temp\f768823.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\f76a219.exeC:\Users\Admin\AppData\Local\Temp\f76a219.exe4⤵
- Executes dropped EXE
PID:2488
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1388
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5c109146363654806a84b5506e7d11f17
SHA133311c6bd2d616773208bbd84090e54d866ce0f6
SHA256c5d0746cfcb5205695cd42c1c82c190c3add4c45cb61e9dcb9115b857865c1cc
SHA51231701d494e2800f1b56940a74fdc8561ca0f012ca58697c0e8a03a331e0aab67f6d12d90c7ba439ab62177d46f34f3d3c0e5895fce06e095e00c7823bf6b13ff
-
Filesize
97KB
MD56d9b007e245b0af3591fa7ba8c83c439
SHA1aa57bf707062431f8452b5c58abc43c7b75816c2
SHA2562fa9484b316a71b8e4cccd660f3eb23c46ed2268bbeb4fdd684ab47491cd5cba
SHA512fe6f81254bba6308ba8296459f74a52215ef0a4eda9f0c885a0f3fefffcba248f06ce709265d52465c7c8c9dd41ed985a4f63b35605c359c395795dab4f4d4bd