Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
29s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/12/2024, 15:32
Static task
static1
Behavioral task
behavioral1
Sample
4e1919969760e7f9b30e30dc751f3e3f17cad17345a34f8dc5ae88f576ba8f3cN.dll
Resource
win7-20240903-en
General
-
Target
4e1919969760e7f9b30e30dc751f3e3f17cad17345a34f8dc5ae88f576ba8f3cN.dll
-
Size
120KB
-
MD5
849642da0ca58f0b338ff101c7e813d0
-
SHA1
6f841f89ed15c5e73ef79bcc07056f1d5f3a8640
-
SHA256
4e1919969760e7f9b30e30dc751f3e3f17cad17345a34f8dc5ae88f576ba8f3c
-
SHA512
9a3d037fd6d0cf8e9ee4e4e6ffbaefaa4843b9446040eb22e61862d7573654c70f064097e742b6a79c7f514581e3b3edd6cc51e8259ea98b02b28515d1cc643c
-
SSDEEP
1536:wAIUPIU68VHeJSlIoj01+jc1E6X5BLE3gLMD6KZmM45EKxM8T854wIoBMM52:QU68ISlIoo13XTE31OOmMWNM2IIouB
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c552.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c552.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c552.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e8f8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e8f8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e8f8.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c552.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e8f8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e8f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e8f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c552.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c552.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c552.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c552.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e8f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e8f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e8f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e8f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c552.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c552.exe -
Executes dropped EXE 3 IoCs
pid Process 2160 f76c552.exe 2640 f76cfbd.exe 2104 f76e8f8.exe -
Loads dropped DLL 6 IoCs
pid Process 2984 rundll32.exe 2984 rundll32.exe 2984 rundll32.exe 2984 rundll32.exe 2984 rundll32.exe 2984 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e8f8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e8f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c552.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c552.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e8f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c552.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e8f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e8f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c552.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c552.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c552.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e8f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c552.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e8f8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c552.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e8f8.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: f76c552.exe File opened (read-only) \??\I: f76c552.exe File opened (read-only) \??\J: f76c552.exe File opened (read-only) \??\K: f76c552.exe File opened (read-only) \??\M: f76c552.exe File opened (read-only) \??\N: f76c552.exe File opened (read-only) \??\E: f76e8f8.exe File opened (read-only) \??\G: f76c552.exe File opened (read-only) \??\L: f76c552.exe File opened (read-only) \??\O: f76c552.exe File opened (read-only) \??\P: f76c552.exe File opened (read-only) \??\Q: f76c552.exe File opened (read-only) \??\E: f76c552.exe -
resource yara_rule behavioral1/memory/2160-12-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-16-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-20-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-14-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-17-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-18-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-22-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-21-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-15-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-19-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-43-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-50-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-65-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-66-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-67-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-70-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-84-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-85-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-86-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-89-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2160-148-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2104-179-0x0000000000930000-0x00000000019EA000-memory.dmp upx behavioral1/memory/2104-204-0x0000000000930000-0x00000000019EA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76c5bf f76c552.exe File opened for modification C:\Windows\SYSTEM.INI f76c552.exe File created C:\Windows\f771f44 f76e8f8.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76e8f8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c552.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2160 f76c552.exe 2160 f76c552.exe 2104 f76e8f8.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2160 f76c552.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe Token: SeDebugPrivilege 2104 f76e8f8.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1480 wrote to memory of 2984 1480 rundll32.exe 30 PID 1480 wrote to memory of 2984 1480 rundll32.exe 30 PID 1480 wrote to memory of 2984 1480 rundll32.exe 30 PID 1480 wrote to memory of 2984 1480 rundll32.exe 30 PID 1480 wrote to memory of 2984 1480 rundll32.exe 30 PID 1480 wrote to memory of 2984 1480 rundll32.exe 30 PID 1480 wrote to memory of 2984 1480 rundll32.exe 30 PID 2984 wrote to memory of 2160 2984 rundll32.exe 31 PID 2984 wrote to memory of 2160 2984 rundll32.exe 31 PID 2984 wrote to memory of 2160 2984 rundll32.exe 31 PID 2984 wrote to memory of 2160 2984 rundll32.exe 31 PID 2160 wrote to memory of 1100 2160 f76c552.exe 19 PID 2160 wrote to memory of 1160 2160 f76c552.exe 20 PID 2160 wrote to memory of 1248 2160 f76c552.exe 21 PID 2160 wrote to memory of 800 2160 f76c552.exe 25 PID 2160 wrote to memory of 1480 2160 f76c552.exe 29 PID 2160 wrote to memory of 2984 2160 f76c552.exe 30 PID 2160 wrote to memory of 2984 2160 f76c552.exe 30 PID 2984 wrote to memory of 2640 2984 rundll32.exe 32 PID 2984 wrote to memory of 2640 2984 rundll32.exe 32 PID 2984 wrote to memory of 2640 2984 rundll32.exe 32 PID 2984 wrote to memory of 2640 2984 rundll32.exe 32 PID 2984 wrote to memory of 2104 2984 rundll32.exe 34 PID 2984 wrote to memory of 2104 2984 rundll32.exe 34 PID 2984 wrote to memory of 2104 2984 rundll32.exe 34 PID 2984 wrote to memory of 2104 2984 rundll32.exe 34 PID 2160 wrote to memory of 1100 2160 f76c552.exe 19 PID 2160 wrote to memory of 1160 2160 f76c552.exe 20 PID 2160 wrote to memory of 1248 2160 f76c552.exe 21 PID 2160 wrote to memory of 800 2160 f76c552.exe 25 PID 2160 wrote to memory of 2640 2160 f76c552.exe 32 PID 2160 wrote to memory of 2640 2160 f76c552.exe 32 PID 2160 wrote to memory of 2104 2160 f76c552.exe 34 PID 2160 wrote to memory of 2104 2160 f76c552.exe 34 PID 2104 wrote to memory of 1100 2104 f76e8f8.exe 19 PID 2104 wrote to memory of 1160 2104 f76e8f8.exe 20 PID 2104 wrote to memory of 1248 2104 f76e8f8.exe 21 PID 2104 wrote to memory of 800 2104 f76e8f8.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c552.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e8f8.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1100
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1248
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4e1919969760e7f9b30e30dc751f3e3f17cad17345a34f8dc5ae88f576ba8f3cN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4e1919969760e7f9b30e30dc751f3e3f17cad17345a34f8dc5ae88f576ba8f3cN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\f76c552.exeC:\Users\Admin\AppData\Local\Temp\f76c552.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2160
-
-
C:\Users\Admin\AppData\Local\Temp\f76cfbd.exeC:\Users\Admin\AppData\Local\Temp\f76cfbd.exe4⤵
- Executes dropped EXE
PID:2640
-
-
C:\Users\Admin\AppData\Local\Temp\f76e8f8.exeC:\Users\Admin\AppData\Local\Temp\f76e8f8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2104
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:800
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD55717918ce21a5c96336b41c82f1730fc
SHA12224c8bcb024e32d0e9592f14a472be6a7924f79
SHA2565effe0fa3483b1e2ad2754cf31c26c9b033db95de1b2642013f2500f425aee23
SHA5125ec8b596041888bd885a6d9a2667a5b4c49c0adee837d2b10e48a2df6cc423c3f2a1b491fee771d5a81d03546f7beec64cd62874937c5313e6e9cd3d7aeac3ac
-
Filesize
97KB
MD525b10e1f08436c9277cac2776dfb753d
SHA11a8cc487dfdf41421248067fccad94fbe184737b
SHA256fe180c305f1d63e60222ee35e9e32309af4934a7584909b1fd700618b4de96a0
SHA51200052478ff86018c9f384deca61452b166ad5634fb3388354b1d317cf11cb30fccca366a9ba3822300e5e08983d3f951cdc2de82221fe878f9b90bc1728ceedc