Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10/12/2024, 16:08
General
-
Target
ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe
-
Size
1.0MB
-
MD5
14c057aa28de8f08e9ff1498351f6d90
-
SHA1
ebe3b736756ca6b81752459f02cce257e3381263
-
SHA256
ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707
-
SHA512
070b87e18df1a594c05c65e15fb3c92a99952438635df3c47c871ec2b6366e9488bf5a86e40a530321446a35edc3e85d6fcea71f751ae70797cf4a286b47706a
-
SSDEEP
12288:MYEWcMwLfzH5BUdtsKR0yCKM8CxF7h5NGyENSrzXVoGsqACwUeCCbSzVczdDsgcx:MYUk3X5N2FXNGCrZEqACXeCXcdve1D
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe"C:\Users\Admin\AppData\Local\Temp\ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
994KB
MD54e56691e6a461094f27547a3d8d322a3
SHA136e595fa2d7dfe01ec8fc1b3c21654c067b48264
SHA2560b50a7c90a09552566d63926c57904b1c89e6c3a1ab583e5c16e8d1922ca44f0
SHA51288cd05445a186d591b61210b9afb59e21d50ccac415ce297c353fb3c79bff921ca9827769e4b60ba2ad83316f1f2f0925d0e1f994862bb853461800a5c306f2d
-
Filesize
5KB
MD5cae8cbe148469accf1ccf9692316e8f9
SHA164e9308e6b541ad99c6fe4dc90829c7e17794ea4
SHA2568a27ff148592c3bdd33e5e9e87b9b05f54a1c136d002746696aeb9e9bd426395
SHA51272f1c7ec5f272d51c3f712c3b03eead35c3c0540adc5cd1f27004fb659f384720aa841f32fb76ada506398be767c3851633c95755af9af3d6b8980d74cee1023
-
Filesize
1.5MB
MD50d360c149b2c6649637985ee8b0a90a8
SHA12b86f26310127645bc0c758ddf1fd0f42465b053
SHA2569088ac40d822a32efaf756d4d866faa72e69070d691907adfb0dfe916ccdb05f
SHA51296342c15738fc766ce7ea65b5c4a18829d68cc65f1ce931733820d9c9bda4e8bf570f90e26726b063eeddfc40bf454c6ae7751936c5d085cbc03d7f6989f7091
-
Filesize
1.0MB
MD514c057aa28de8f08e9ff1498351f6d90
SHA1ebe3b736756ca6b81752459f02cce257e3381263
SHA256ef71464691d3cd3708c47239a91dffc2fe86ad260d5189b4be116b2cdd3a7707
SHA512070b87e18df1a594c05c65e15fb3c92a99952438635df3c47c871ec2b6366e9488bf5a86e40a530321446a35edc3e85d6fcea71f751ae70797cf4a286b47706a
-
Filesize
257B
MD57491405c7627e41369d69aabab79ec7e
SHA1030d66d840eedc96617553623fa26ec29d6c8adc
SHA256ab496a9461b6da63b7d5a45421a8d4997a602c97c08ac3d8c779e5fc20937423
SHA5125184d0f094e295d2ed085334a8ab057b24f9bdff84842d1680a0f3d23307d1ddf561e00f1836419dcc978be038d1965cb3ea8c18993603821536f51d080b2c49
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
1.4MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
1.4MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
1.4MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
1.4MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB