Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 17:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
89c0a2b1b332297a04320e9b2134dfb0N.dll
Resource
win7-20240903-en
windows7-x64
16 signatures
120 seconds
General
-
Target
89c0a2b1b332297a04320e9b2134dfb0N.dll
-
Size
120KB
-
MD5
89c0a2b1b332297a04320e9b2134dfb0
-
SHA1
ec67e9b7ac4e7eeb0135d752edc7a8d23650ee6b
-
SHA256
be7e8c94e3bb29348cb48745bf99214ab67b3c7c83b0e48629bc1cc28e87776a
-
SHA512
6c188a4897a1d269aa480627a728173fe20a11bf4343f62df9d81d11188a551ec540b627a17f4adb548d7935b1aa696565f36b4cc9b320edaf03bd922feffb0d
-
SSDEEP
3072:PkhcQPieS7rzilcW2orYvBKozhwsv/m6+Js0eJdKwmG7:Pk6Q6vrzilcVyYvBKHwe6n0eJx7
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f77207c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f77207c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f771e98.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f771e98.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f771e98.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f77207c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77207c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f771e98.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f771e98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f77207c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f771e98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f771e98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f771e98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f77207c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f77207c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f77207c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f771e98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f771e98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f77207c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f77207c.exe -
Executes dropped EXE 3 IoCs
pid Process 2692 f771e98.exe 2684 f77207c.exe 628 f773a33.exe -
Loads dropped DLL 6 IoCs
pid Process 2156 rundll32.exe 2156 rundll32.exe 2156 rundll32.exe 2156 rundll32.exe 2156 rundll32.exe 2156 rundll32.exe -
resource yara_rule behavioral1/memory/2692-17-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-12-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-21-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-19-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-18-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-15-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-22-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-14-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-16-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-20-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-60-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-61-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-62-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-64-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-63-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-66-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-67-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-80-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-83-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-86-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-106-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2692-149-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2684-171-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2684-184-0x0000000000960000-0x0000000001A1A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f771e98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f77207c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f77207c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f771e98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f771e98.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f771e98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f77207c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f77207c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f77207c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f771e98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f771e98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f77207c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f77207c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f771e98.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f771e98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77207c.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: f771e98.exe File opened (read-only) \??\P: f771e98.exe File opened (read-only) \??\Q: f771e98.exe File opened (read-only) \??\E: f771e98.exe File opened (read-only) \??\J: f771e98.exe File opened (read-only) \??\R: f771e98.exe File opened (read-only) \??\T: f771e98.exe File opened (read-only) \??\K: f771e98.exe File opened (read-only) \??\M: f771e98.exe File opened (read-only) \??\N: f771e98.exe File opened (read-only) \??\O: f771e98.exe File opened (read-only) \??\S: f771e98.exe File opened (read-only) \??\G: f771e98.exe File opened (read-only) \??\H: f771e98.exe File opened (read-only) \??\I: f771e98.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f776f27 f77207c.exe File created C:\Windows\f771ef6 f771e98.exe File opened for modification C:\Windows\SYSTEM.INI f771e98.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f771e98.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f77207c.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2692 f771e98.exe 2692 f771e98.exe 2684 f77207c.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2692 f771e98.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe Token: SeDebugPrivilege 2684 f77207c.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2156 2080 rundll32.exe 30 PID 2080 wrote to memory of 2156 2080 rundll32.exe 30 PID 2080 wrote to memory of 2156 2080 rundll32.exe 30 PID 2080 wrote to memory of 2156 2080 rundll32.exe 30 PID 2080 wrote to memory of 2156 2080 rundll32.exe 30 PID 2080 wrote to memory of 2156 2080 rundll32.exe 30 PID 2080 wrote to memory of 2156 2080 rundll32.exe 30 PID 2156 wrote to memory of 2692 2156 rundll32.exe 31 PID 2156 wrote to memory of 2692 2156 rundll32.exe 31 PID 2156 wrote to memory of 2692 2156 rundll32.exe 31 PID 2156 wrote to memory of 2692 2156 rundll32.exe 31 PID 2692 wrote to memory of 1092 2692 f771e98.exe 19 PID 2692 wrote to memory of 1168 2692 f771e98.exe 20 PID 2692 wrote to memory of 1228 2692 f771e98.exe 21 PID 2692 wrote to memory of 1656 2692 f771e98.exe 25 PID 2692 wrote to memory of 2080 2692 f771e98.exe 29 PID 2692 wrote to memory of 2156 2692 f771e98.exe 30 PID 2692 wrote to memory of 2156 2692 f771e98.exe 30 PID 2156 wrote to memory of 2684 2156 rundll32.exe 32 PID 2156 wrote to memory of 2684 2156 rundll32.exe 32 PID 2156 wrote to memory of 2684 2156 rundll32.exe 32 PID 2156 wrote to memory of 2684 2156 rundll32.exe 32 PID 2156 wrote to memory of 628 2156 rundll32.exe 33 PID 2156 wrote to memory of 628 2156 rundll32.exe 33 PID 2156 wrote to memory of 628 2156 rundll32.exe 33 PID 2156 wrote to memory of 628 2156 rundll32.exe 33 PID 2692 wrote to memory of 1092 2692 f771e98.exe 19 PID 2692 wrote to memory of 1168 2692 f771e98.exe 20 PID 2692 wrote to memory of 1228 2692 f771e98.exe 21 PID 2692 wrote to memory of 1656 2692 f771e98.exe 25 PID 2692 wrote to memory of 2684 2692 f771e98.exe 32 PID 2692 wrote to memory of 2684 2692 f771e98.exe 32 PID 2692 wrote to memory of 628 2692 f771e98.exe 33 PID 2692 wrote to memory of 628 2692 f771e98.exe 33 PID 2684 wrote to memory of 1092 2684 f77207c.exe 19 PID 2684 wrote to memory of 1168 2684 f77207c.exe 20 PID 2684 wrote to memory of 1228 2684 f77207c.exe 21 PID 2684 wrote to memory of 1656 2684 f77207c.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f771e98.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77207c.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1092
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1228
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\89c0a2b1b332297a04320e9b2134dfb0N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\89c0a2b1b332297a04320e9b2134dfb0N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\f771e98.exeC:\Users\Admin\AppData\Local\Temp\f771e98.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\f77207c.exeC:\Users\Admin\AppData\Local\Temp\f77207c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2684
-
-
C:\Users\Admin\AppData\Local\Temp\f773a33.exeC:\Users\Admin\AppData\Local\Temp\f773a33.exe4⤵
- Executes dropped EXE
PID:628
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1656
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD594263a135458e9f372c0a6ea940af2d9
SHA10dc3c19078db0868275c02ff25108f657112d699
SHA256bc9791058f14e94589553182fff5638d8fe1883200e6393b49243ddeb9e7de85
SHA5128af8dab2a2ddaea68f4dc839db7136ba06ab0ebd791a400245848076834b7784ca1466f0098ea6a752445258b6d986e1f784ea30a72a4175d5c8e47b9ea898eb
-
Filesize
257B
MD57cae9df6d497f47ee929a2a748534877
SHA1bcd37f002a757654960aacc85dfba703fc8e8f33
SHA256e60f5b32befdb3b84d00552aee2bf227aa87411f935674c9d917bb362b9919ca
SHA51264ea6de1197e4a68abc414eee39c3f49e91bc0763cb8c199256419ee25acdcbfc804ade0a6b7ed9ca0d4b7b42f216ca64f0a41bc90fd4d0b09d8579dec01c3a1