Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2024, 20:24
Static task
static1
Behavioral task
behavioral1
Sample
2761d9cac0a88842100b74294422544c7e190d055e08ce4161645e21460d1a49.dll
Resource
win7-20240729-en
General
-
Target
2761d9cac0a88842100b74294422544c7e190d055e08ce4161645e21460d1a49.dll
-
Size
120KB
-
MD5
df9930ac6278241ebc7c9981c5e11eaf
-
SHA1
5bfd177fed0352e47fbc9fcc207a6a181a2e7922
-
SHA256
2761d9cac0a88842100b74294422544c7e190d055e08ce4161645e21460d1a49
-
SHA512
795fdc620c9ddf373e0d7760bb38fc1cb56a66c7e86894445806ccaa3d064c9aa972d86b5c6c044f6f71ba1175844ff7d08fad5cdbf75c543779e2c5be967ac1
-
SSDEEP
1536:QBF9UCDfkL5Tfp9SZ9sYd7whiRPgT4JbSRnTCuixjztklsJXJ+MRaSht7tmrDy25:QBFAVKXsYq+inT0jZkaJ5+mftmrDy2
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a43f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a43f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a43f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a43f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a43f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a43f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a43f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a43f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a43f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a43f.exe -
Executes dropped EXE 3 IoCs
pid Process 1848 e57a43f.exe 2232 e57a577.exe 2244 e57bf97.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a43f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a43f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a43f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a43f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a43f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a43f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a43f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a43f.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: e57a43f.exe File opened (read-only) \??\E: e57a43f.exe File opened (read-only) \??\M: e57a43f.exe File opened (read-only) \??\O: e57a43f.exe File opened (read-only) \??\R: e57a43f.exe File opened (read-only) \??\H: e57a43f.exe File opened (read-only) \??\K: e57a43f.exe File opened (read-only) \??\Q: e57a43f.exe File opened (read-only) \??\G: e57a43f.exe File opened (read-only) \??\J: e57a43f.exe File opened (read-only) \??\L: e57a43f.exe File opened (read-only) \??\N: e57a43f.exe File opened (read-only) \??\S: e57a43f.exe File opened (read-only) \??\I: e57a43f.exe -
resource yara_rule behavioral2/memory/1848-6-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-9-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-25-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-33-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-26-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-11-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-12-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-10-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-8-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-34-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-35-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-36-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-37-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-38-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-39-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-41-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-42-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-50-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-52-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-54-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-64-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-65-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-69-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-71-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-74-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-80-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-82-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-84-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-86-0x0000000000730000-0x00000000017EA000-memory.dmp upx behavioral2/memory/1848-90-0x0000000000730000-0x00000000017EA000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57a43f.exe File opened for modification C:\Program Files\7-Zip\7z.exe e57a43f.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57a43f.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57a43f.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e57a4ac e57a43f.exe File opened for modification C:\Windows\SYSTEM.INI e57a43f.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a43f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a577.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bf97.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1848 e57a43f.exe 1848 e57a43f.exe 1848 e57a43f.exe 1848 e57a43f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe Token: SeDebugPrivilege 1848 e57a43f.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 3612 wrote to memory of 2876 3612 rundll32.exe 83 PID 3612 wrote to memory of 2876 3612 rundll32.exe 83 PID 3612 wrote to memory of 2876 3612 rundll32.exe 83 PID 2876 wrote to memory of 1848 2876 rundll32.exe 84 PID 2876 wrote to memory of 1848 2876 rundll32.exe 84 PID 2876 wrote to memory of 1848 2876 rundll32.exe 84 PID 1848 wrote to memory of 800 1848 e57a43f.exe 9 PID 1848 wrote to memory of 804 1848 e57a43f.exe 10 PID 1848 wrote to memory of 316 1848 e57a43f.exe 13 PID 1848 wrote to memory of 2832 1848 e57a43f.exe 49 PID 1848 wrote to memory of 3004 1848 e57a43f.exe 50 PID 1848 wrote to memory of 1964 1848 e57a43f.exe 52 PID 1848 wrote to memory of 3444 1848 e57a43f.exe 56 PID 1848 wrote to memory of 3568 1848 e57a43f.exe 57 PID 1848 wrote to memory of 3756 1848 e57a43f.exe 58 PID 1848 wrote to memory of 3840 1848 e57a43f.exe 59 PID 1848 wrote to memory of 3940 1848 e57a43f.exe 60 PID 1848 wrote to memory of 4028 1848 e57a43f.exe 61 PID 1848 wrote to memory of 2296 1848 e57a43f.exe 62 PID 1848 wrote to memory of 4436 1848 e57a43f.exe 74 PID 1848 wrote to memory of 3608 1848 e57a43f.exe 76 PID 1848 wrote to memory of 2236 1848 e57a43f.exe 81 PID 1848 wrote to memory of 3612 1848 e57a43f.exe 82 PID 1848 wrote to memory of 2876 1848 e57a43f.exe 83 PID 1848 wrote to memory of 2876 1848 e57a43f.exe 83 PID 2876 wrote to memory of 2232 2876 rundll32.exe 85 PID 2876 wrote to memory of 2232 2876 rundll32.exe 85 PID 2876 wrote to memory of 2232 2876 rundll32.exe 85 PID 2876 wrote to memory of 2244 2876 rundll32.exe 87 PID 2876 wrote to memory of 2244 2876 rundll32.exe 87 PID 2876 wrote to memory of 2244 2876 rundll32.exe 87 PID 1848 wrote to memory of 800 1848 e57a43f.exe 9 PID 1848 wrote to memory of 804 1848 e57a43f.exe 10 PID 1848 wrote to memory of 316 1848 e57a43f.exe 13 PID 1848 wrote to memory of 2832 1848 e57a43f.exe 49 PID 1848 wrote to memory of 3004 1848 e57a43f.exe 50 PID 1848 wrote to memory of 1964 1848 e57a43f.exe 52 PID 1848 wrote to memory of 3444 1848 e57a43f.exe 56 PID 1848 wrote to memory of 3568 1848 e57a43f.exe 57 PID 1848 wrote to memory of 3756 1848 e57a43f.exe 58 PID 1848 wrote to memory of 3840 1848 e57a43f.exe 59 PID 1848 wrote to memory of 3940 1848 e57a43f.exe 60 PID 1848 wrote to memory of 4028 1848 e57a43f.exe 61 PID 1848 wrote to memory of 2296 1848 e57a43f.exe 62 PID 1848 wrote to memory of 4436 1848 e57a43f.exe 74 PID 1848 wrote to memory of 3608 1848 e57a43f.exe 76 PID 1848 wrote to memory of 2232 1848 e57a43f.exe 85 PID 1848 wrote to memory of 2232 1848 e57a43f.exe 85 PID 1848 wrote to memory of 2244 1848 e57a43f.exe 87 PID 1848 wrote to memory of 2244 1848 e57a43f.exe 87 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a43f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3004
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:1964
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2761d9cac0a88842100b74294422544c7e190d055e08ce4161645e21460d1a49.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2761d9cac0a88842100b74294422544c7e190d055e08ce4161645e21460d1a49.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\e57a43f.exeC:\Users\Admin\AppData\Local\Temp\e57a43f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1848
-
-
C:\Users\Admin\AppData\Local\Temp\e57a577.exeC:\Users\Admin\AppData\Local\Temp\e57a577.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232
-
-
C:\Users\Admin\AppData\Local\Temp\e57bf97.exeC:\Users\Admin\AppData\Local\Temp\e57bf97.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3756
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3940
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2296
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4436
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3608
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2236
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD539271995d6501fed7ae75dd7e0a70fa1
SHA190e9e90af5512e2ea1196ec5a3d2e8476aa54c45
SHA2563db3e5527cb7ca63a5333ffb8f59d24eebfbcda9ca7978d56bca1efbe77587bc
SHA5126ab6757882c2c5cd3bb8d0fac524faa215fff18e47a581f89c38575dfa9f5ee8945b474fe9f667e04fbdc56056c847ee848cfca16b15c962de4054fec4d05098