Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/12/2024, 06:10
Static task
static1
Behavioral task
behavioral1
Sample
21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe
Resource
win7-20241010-en
General
-
Target
21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe
-
Size
1.2MB
-
MD5
5ea82f7896e439b045252a6765043d1d
-
SHA1
dd8436237f83f2d6b8afc8ac9d88b77ddd63e426
-
SHA256
21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c
-
SHA512
cc742f52630de290a9ed4e3aa46e289eee6e2948164ccc6d151ddcb69532481fadf98a83d003e6eb270df435170cca2df7f9ac726f257233c1f354c62d9bcbdf
-
SSDEEP
24576:cFPOkBKUM2+6gN0MlguotQN5eVkMbcLOZdIgiMmcITX6pAoMX3ICXZGTsk8OC:qPM2+6gN0Mlg9t+eVPAslmcITqp8ICXJ
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe -
resource yara_rule behavioral2/memory/4976-5-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4976-11-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4976-8-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4976-4-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4976-1-0x0000000002480000-0x000000000353A000-memory.dmp upx behavioral2/memory/4976-3-0x0000000002480000-0x000000000353A000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e579933 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe File opened for modification C:\Windows\SYSTEM.INI 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4976 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe 4976 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4976 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Token: SeDebugPrivilege 4976 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Token: SeDebugPrivilege 4976 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Token: SeDebugPrivilege 4976 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Token: SeDebugPrivilege 4976 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe Token: SeDebugPrivilege 4976 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe"C:\Users\Admin\AppData\Local\Temp\21bd9f760e8e971ef491dcfd8d864bf9f7804102b2ac411f09bf693c6831670c.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4976
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5