Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 22:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
67bf475f5378ea1541920ca69577ead8cc98e3fbbf35f66ab773d86b0053df6b.dll
Resource
win7-20240708-en
windows7-x64
15 signatures
150 seconds
General
-
Target
67bf475f5378ea1541920ca69577ead8cc98e3fbbf35f66ab773d86b0053df6b.dll
-
Size
120KB
-
MD5
597dc6eacd74e8dc1cb880a07cd42976
-
SHA1
04ef206eb9535b92d352aa0f83f64d8f49bab780
-
SHA256
67bf475f5378ea1541920ca69577ead8cc98e3fbbf35f66ab773d86b0053df6b
-
SHA512
bea89e33297877fe2fc0f9853a4e1299cc8289c09ae9cdd5338941d70c26c0f0b355710cf42091c156841610ced1d1ebe20aaf058b4f46d22ead735a02ff31fb
-
SSDEEP
1536:UJGGUHrMT6FJEZVgxyXqqowvgJRDxLD5WhEfiAvgxVhsAKlis6YTO0l+w/UoiWY1:HDmPXPvkD1IEfYxVh9QpT3lN/PSEY
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76b06b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76b06b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76aed5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76aed5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76aed5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76b06b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76aed5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b06b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b06b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b06b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76aed5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76aed5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76aed5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b06b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b06b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b06b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76aed5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76aed5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76aed5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b06b.exe -
Executes dropped EXE 3 IoCs
pid Process 592 f76aed5.exe 2492 f76b06b.exe 2288 f76cace.exe -
Loads dropped DLL 6 IoCs
pid Process 2416 rundll32.exe 2416 rundll32.exe 2416 rundll32.exe 2416 rundll32.exe 2416 rundll32.exe 2416 rundll32.exe -
resource yara_rule behavioral1/memory/592-14-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-17-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-20-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-12-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-21-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-19-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-18-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-16-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-15-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-22-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-62-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-63-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-64-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-65-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-66-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-68-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-69-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-84-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-86-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-87-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-107-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-121-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/592-154-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2492-181-0x00000000009C0000-0x0000000001A7A000-memory.dmp upx behavioral1/memory/2492-183-0x00000000009C0000-0x0000000001A7A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76aed5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76aed5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76aed5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b06b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76b06b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b06b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b06b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76aed5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76aed5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76aed5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76aed5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b06b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b06b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b06b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76aed5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b06b.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f76aed5.exe File opened (read-only) \??\G: f76aed5.exe File opened (read-only) \??\H: f76aed5.exe File opened (read-only) \??\I: f76aed5.exe File opened (read-only) \??\N: f76aed5.exe File opened (read-only) \??\P: f76aed5.exe File opened (read-only) \??\S: f76aed5.exe File opened (read-only) \??\J: f76aed5.exe File opened (read-only) \??\L: f76aed5.exe File opened (read-only) \??\Q: f76aed5.exe File opened (read-only) \??\K: f76aed5.exe File opened (read-only) \??\O: f76aed5.exe File opened (read-only) \??\R: f76aed5.exe File opened (read-only) \??\M: f76aed5.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76af04 f76aed5.exe File opened for modification C:\Windows\SYSTEM.INI f76aed5.exe File created C:\Windows\f76fee8 f76b06b.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 592 f76aed5.exe 592 f76aed5.exe 2492 f76b06b.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 592 f76aed5.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe Token: SeDebugPrivilege 2492 f76b06b.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2416 2396 rundll32.exe 30 PID 2396 wrote to memory of 2416 2396 rundll32.exe 30 PID 2396 wrote to memory of 2416 2396 rundll32.exe 30 PID 2396 wrote to memory of 2416 2396 rundll32.exe 30 PID 2396 wrote to memory of 2416 2396 rundll32.exe 30 PID 2396 wrote to memory of 2416 2396 rundll32.exe 30 PID 2396 wrote to memory of 2416 2396 rundll32.exe 30 PID 2416 wrote to memory of 592 2416 rundll32.exe 31 PID 2416 wrote to memory of 592 2416 rundll32.exe 31 PID 2416 wrote to memory of 592 2416 rundll32.exe 31 PID 2416 wrote to memory of 592 2416 rundll32.exe 31 PID 592 wrote to memory of 1048 592 f76aed5.exe 17 PID 592 wrote to memory of 1112 592 f76aed5.exe 19 PID 592 wrote to memory of 1188 592 f76aed5.exe 21 PID 592 wrote to memory of 1772 592 f76aed5.exe 25 PID 592 wrote to memory of 2396 592 f76aed5.exe 29 PID 592 wrote to memory of 2416 592 f76aed5.exe 30 PID 592 wrote to memory of 2416 592 f76aed5.exe 30 PID 2416 wrote to memory of 2492 2416 rundll32.exe 32 PID 2416 wrote to memory of 2492 2416 rundll32.exe 32 PID 2416 wrote to memory of 2492 2416 rundll32.exe 32 PID 2416 wrote to memory of 2492 2416 rundll32.exe 32 PID 2416 wrote to memory of 2288 2416 rundll32.exe 34 PID 2416 wrote to memory of 2288 2416 rundll32.exe 34 PID 2416 wrote to memory of 2288 2416 rundll32.exe 34 PID 2416 wrote to memory of 2288 2416 rundll32.exe 34 PID 592 wrote to memory of 1048 592 f76aed5.exe 17 PID 592 wrote to memory of 1112 592 f76aed5.exe 19 PID 592 wrote to memory of 1188 592 f76aed5.exe 21 PID 592 wrote to memory of 1772 592 f76aed5.exe 25 PID 592 wrote to memory of 2492 592 f76aed5.exe 32 PID 592 wrote to memory of 2492 592 f76aed5.exe 32 PID 592 wrote to memory of 2288 592 f76aed5.exe 34 PID 592 wrote to memory of 2288 592 f76aed5.exe 34 PID 2492 wrote to memory of 1048 2492 f76b06b.exe 17 PID 2492 wrote to memory of 1112 2492 f76b06b.exe 19 PID 2492 wrote to memory of 1188 2492 f76b06b.exe 21 PID 2492 wrote to memory of 1772 2492 f76b06b.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76aed5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b06b.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1048
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1112
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\67bf475f5378ea1541920ca69577ead8cc98e3fbbf35f66ab773d86b0053df6b.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\67bf475f5378ea1541920ca69577ead8cc98e3fbbf35f66ab773d86b0053df6b.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\f76aed5.exeC:\Users\Admin\AppData\Local\Temp\f76aed5.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:592
-
-
C:\Users\Admin\AppData\Local\Temp\f76b06b.exeC:\Users\Admin\AppData\Local\Temp\f76b06b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2492
-
-
C:\Users\Admin\AppData\Local\Temp\f76cace.exeC:\Users\Admin\AppData\Local\Temp\f76cace.exe4⤵
- Executes dropped EXE
PID:2288
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1772
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD543343ef88ebd04d3d839d4ea909930ee
SHA18d47b3f9726aa4aa724214757b867c8dea21f29f
SHA2567f5f26022ed25c9e7e199267dd40bfceb8a008d2ef6e597c57ffa5237d067e16
SHA512f7afe3c52336dcda62c10c68182507daecb659790771fd7287f1b960c352c4134a0604285e5f13e988f70d591a52f34f85a423683a5171726e0b7b1952b15923
-
Filesize
97KB
MD5d6f3d6789c6c5a37367781325b361ddc
SHA194b7364394c950d68d289f5a116a94afe2e94a42
SHA256965f34aaa11d853f4d6f84ce6ef49f64480844ae369816dbbad29251e88bf016
SHA5120fba03b431c8d4ebd357e19e0d722f1abeba6ac9c1799ab8ffdf85ef1172dc7e0dfce0378580d76e10ad44eef27ef943717fb081b3d4d3f150d96dc5e70971d1