Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
28s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 00:06
Static task
static1
Behavioral task
behavioral1
Sample
99dea991bf7691d21511f80d85f3f9be14149cf554821a27e38bde79e74727fbN.dll
Resource
win7-20240903-en
General
-
Target
99dea991bf7691d21511f80d85f3f9be14149cf554821a27e38bde79e74727fbN.dll
-
Size
120KB
-
MD5
8d774e7dbebae07f2fa78cdbab27edc0
-
SHA1
ac62dad926c673b40915ebc2f8633318dfbcdee5
-
SHA256
99dea991bf7691d21511f80d85f3f9be14149cf554821a27e38bde79e74727fb
-
SHA512
3dcc6c61f73a95645b27502ee88f8550e2e3967bd6390fce6d57f2b18a9dfc83b3c6ceaddd52489fb3ecf1d846e445463b332a3b077fa8a7af2551c0b779e46d
-
SSDEEP
1536:giXYpwlDVoqnt8FpxujfxpDyp3cvG2RvG4cBZtp/B6zUZhhBJsGV6GcavPh9EWVo:zXXVoaynujJNypMtdcntZBH0yD7RVjc
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76ae68.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76ae68.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76ae68.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ae68.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76ae68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76ae68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76ae68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76ae68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76ae68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76ae68.exe -
Executes dropped EXE 3 IoCs
pid Process 2904 f76aca4.exe 2612 f76ae68.exe 2528 f76cde9.exe -
Loads dropped DLL 6 IoCs
pid Process 1864 rundll32.exe 1864 rundll32.exe 1864 rundll32.exe 1864 rundll32.exe 1864 rundll32.exe 1864 rundll32.exe -
resource yara_rule behavioral1/memory/2904-11-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-15-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-19-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-14-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-13-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-16-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-18-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-20-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-17-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-21-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-60-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-61-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-62-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-63-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-64-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-66-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-83-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-84-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-104-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-106-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-108-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-109-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2904-152-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2612-165-0x0000000000A60000-0x0000000001B1A000-memory.dmp upx behavioral1/memory/2612-191-0x0000000000A60000-0x0000000001B1A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76ae68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76ae68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76ae68.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76aca4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76ae68.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76ae68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76ae68.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76ae68.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ae68.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f76aca4.exe File opened (read-only) \??\H: f76aca4.exe File opened (read-only) \??\M: f76aca4.exe File opened (read-only) \??\N: f76aca4.exe File opened (read-only) \??\O: f76aca4.exe File opened (read-only) \??\P: f76aca4.exe File opened (read-only) \??\G: f76aca4.exe File opened (read-only) \??\I: f76aca4.exe File opened (read-only) \??\J: f76aca4.exe File opened (read-only) \??\K: f76aca4.exe File opened (read-only) \??\L: f76aca4.exe File opened (read-only) \??\Q: f76aca4.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76ad30 f76aca4.exe File opened for modification C:\Windows\SYSTEM.INI f76aca4.exe File created C:\Windows\f76fd52 f76ae68.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76aca4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76ae68.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2904 f76aca4.exe 2904 f76aca4.exe 2612 f76ae68.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2904 f76aca4.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe Token: SeDebugPrivilege 2612 f76ae68.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2112 wrote to memory of 1864 2112 rundll32.exe 30 PID 2112 wrote to memory of 1864 2112 rundll32.exe 30 PID 2112 wrote to memory of 1864 2112 rundll32.exe 30 PID 2112 wrote to memory of 1864 2112 rundll32.exe 30 PID 2112 wrote to memory of 1864 2112 rundll32.exe 30 PID 2112 wrote to memory of 1864 2112 rundll32.exe 30 PID 2112 wrote to memory of 1864 2112 rundll32.exe 30 PID 1864 wrote to memory of 2904 1864 rundll32.exe 31 PID 1864 wrote to memory of 2904 1864 rundll32.exe 31 PID 1864 wrote to memory of 2904 1864 rundll32.exe 31 PID 1864 wrote to memory of 2904 1864 rundll32.exe 31 PID 2904 wrote to memory of 1044 2904 f76aca4.exe 17 PID 2904 wrote to memory of 1068 2904 f76aca4.exe 18 PID 2904 wrote to memory of 1128 2904 f76aca4.exe 20 PID 2904 wrote to memory of 1996 2904 f76aca4.exe 23 PID 2904 wrote to memory of 2112 2904 f76aca4.exe 29 PID 2904 wrote to memory of 1864 2904 f76aca4.exe 30 PID 2904 wrote to memory of 1864 2904 f76aca4.exe 30 PID 1864 wrote to memory of 2612 1864 rundll32.exe 32 PID 1864 wrote to memory of 2612 1864 rundll32.exe 32 PID 1864 wrote to memory of 2612 1864 rundll32.exe 32 PID 1864 wrote to memory of 2612 1864 rundll32.exe 32 PID 1864 wrote to memory of 2528 1864 rundll32.exe 34 PID 1864 wrote to memory of 2528 1864 rundll32.exe 34 PID 1864 wrote to memory of 2528 1864 rundll32.exe 34 PID 1864 wrote to memory of 2528 1864 rundll32.exe 34 PID 2904 wrote to memory of 1044 2904 f76aca4.exe 17 PID 2904 wrote to memory of 1068 2904 f76aca4.exe 18 PID 2904 wrote to memory of 1128 2904 f76aca4.exe 20 PID 2904 wrote to memory of 1996 2904 f76aca4.exe 23 PID 2904 wrote to memory of 2612 2904 f76aca4.exe 32 PID 2904 wrote to memory of 2612 2904 f76aca4.exe 32 PID 2904 wrote to memory of 2528 2904 f76aca4.exe 34 PID 2904 wrote to memory of 2528 2904 f76aca4.exe 34 PID 2612 wrote to memory of 1044 2612 f76ae68.exe 17 PID 2612 wrote to memory of 1068 2612 f76ae68.exe 18 PID 2612 wrote to memory of 1128 2612 f76ae68.exe 20 PID 2612 wrote to memory of 1996 2612 f76ae68.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76aca4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ae68.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1044
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1068
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1128
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99dea991bf7691d21511f80d85f3f9be14149cf554821a27e38bde79e74727fbN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99dea991bf7691d21511f80d85f3f9be14149cf554821a27e38bde79e74727fbN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\f76aca4.exeC:\Users\Admin\AppData\Local\Temp\f76aca4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2904
-
-
C:\Users\Admin\AppData\Local\Temp\f76ae68.exeC:\Users\Admin\AppData\Local\Temp\f76ae68.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2612
-
-
C:\Users\Admin\AppData\Local\Temp\f76cde9.exeC:\Users\Admin\AppData\Local\Temp\f76cde9.exe4⤵
- Executes dropped EXE
PID:2528
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1996
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD56b601239b2ba4e0adb0d9c06ce1d2b31
SHA1245320c5f1e64637ebefd30c11ae8d5df1334250
SHA256c60534522d2e69a0a2b9818c2f3f6779b0eda997e5c1b75fb7f0f9a48fcb82f5
SHA51225ec6ae3c8bb5cb8bda04f2a0954479ae94c16061dd42215bb7af621e4f761f1aa0618d6568079cc8070d632f60a8095800657102204598cd524fe476486b3c2
-
Filesize
97KB
MD5f5f30081b87865ff7c46fe7c5029e0df
SHA11cbbc681e6b7d66e49293577201eaf2c6c16ee3e
SHA25679b46816aae06497aa071fa22ca166845377a2c56ad866c16edadff3c1b5f94f
SHA512498c41adbc69b83367f6b7f0c8a9de61c43dba5f735f81510c7b4dad10bfd089be0d99cc6807f925f18ccbddd2d15e0d2379b5b35712a5cf8ca1ded2db6a4870