Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

6f5810535a...0e.exe

windows7-x64

10

6f5810535a...0e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/12/2024, 07:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f5810535a71dbfd6b10517a871dfd85e5e5f9c3c504e16910f5c5d97211df0e.exe

  • Size

    654KB

  • MD5

    7533d0576eead381d2502ad6ba854263

  • SHA1

    63b84f4f40172bf6d61884d4739325373a43b93d

  • SHA256

    6f5810535a71dbfd6b10517a871dfd85e5e5f9c3c504e16910f5c5d97211df0e

  • SHA512

    7b629e3ebe2cca4bbde06c672cfd414883f23f103ff0809b7453a8e873ca3d87ced8597412a7b7a9d5abb6cdfc51c940556ba77eef97e6f21d413d906421ac18

  • SSDEEP

    12288:r98rmdR3y4dqXLBzy6LRWohK9v26UrmAP6mY5O95Ev4uuYRY+hSIfiDbZwE:58VXpK9vJk6hO95sDKASIf9E

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:792
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:800
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:384
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2816
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:668
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:3144
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3444
                  • C:\Users\Admin\AppData\Local\Temp\6f5810535a71dbfd6b10517a871dfd85e5e5f9c3c504e16910f5c5d97211df0e.exe
                    "C:\Users\Admin\AppData\Local\Temp\6f5810535a71dbfd6b10517a871dfd85e5e5f9c3c504e16910f5c5d97211df0e.exe"
                    2⤵
                    • Modifies firewall policy service
                    • UAC bypass
                    • Windows security bypass
                    • Windows security modification
                    • Checks whether UAC is enabled
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:2304
                    • C:\Users\Admin\AppData\Local\Temp\qq_setup_21052\6f5810535a71dbfd6b10517a871dfd85e5e5f9c3c504e16910f5c5d97211df0e.exe
                      "C:\Users\Admin\AppData\Local\Temp\qq_setup_21052\6f5810535a71dbfd6b10517a871dfd85e5e5f9c3c504e16910f5c5d97211df0e.exe" --temp
                      3⤵
                      • Modifies firewall policy service
                      • UAC bypass
                      • Windows security bypass
                      • Executes dropped EXE
                      • Windows security modification
                      • Checks whether UAC is enabled
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:4940
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3556
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3744
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:3836
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:3904
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:3992
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:4156
                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                              1⤵
                                PID:2428
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                1⤵
                                  PID:3248
                                • C:\Windows\System32\RuntimeBroker.exe
                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                  1⤵
                                    PID:4508
                                  • C:\Windows\system32\backgroundTaskHost.exe
                                    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                    1⤵
                                      PID:4868

                                    Network

                                    • flag-us
                                      DNS
                                      104.219.191.52.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      104.219.191.52.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      40.134.221.88.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      40.134.221.88.in-addr.arpa
                                      IN PTR
                                      Response
                                      40.134.221.88.in-addr.arpa
                                      IN PTR
                                      a88-221-134-40deploystaticakamaitechnologiescom
                                    • flag-us
                                      DNS
                                      73.31.126.40.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      73.31.126.40.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      95.221.229.192.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      95.221.229.192.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      241.150.49.20.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      241.150.49.20.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      232.168.11.51.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      232.168.11.51.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      212.20.149.52.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      212.20.149.52.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      212.20.149.52.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      212.20.149.52.in-addr.arpa
                                      IN PTR
                                    • flag-us
                                      DNS
                                      15.164.165.52.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      15.164.165.52.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      172.214.232.199.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      172.214.232.199.in-addr.arpa
                                      IN PTR
                                      Response
                                    No results found
                                    • 8.8.8.8:53
                                      104.219.191.52.in-addr.arpa
                                      dns
                                      73 B
                                       147 B
                                       1
                                      1

                                      DNS Request

                                      104.219.191.52.in-addr.arpa

                                    • 8.8.8.8:53
                                      40.134.221.88.in-addr.arpa
                                      dns
                                      72 B
                                       137 B
                                       1
                                      1

                                      DNS Request

                                      40.134.221.88.in-addr.arpa

                                    • 8.8.8.8:53
                                      73.31.126.40.in-addr.arpa
                                      dns
                                      71 B
                                       157 B
                                       1
                                      1

                                      DNS Request

                                      73.31.126.40.in-addr.arpa

                                    • 8.8.8.8:53
                                      95.221.229.192.in-addr.arpa
                                      dns
                                      73 B
                                       144 B
                                       1
                                      1

                                      DNS Request

                                      95.221.229.192.in-addr.arpa

                                    • 8.8.8.8:53
                                      241.150.49.20.in-addr.arpa
                                      dns
                                      72 B
                                       158 B
                                       1
                                      1

                                      DNS Request

                                      241.150.49.20.in-addr.arpa

                                    • 8.8.8.8:53
                                      232.168.11.51.in-addr.arpa
                                      dns
                                      72 B
                                       158 B
                                       1
                                      1

                                      DNS Request

                                      232.168.11.51.in-addr.arpa

                                    • 8.8.8.8:53
                                      212.20.149.52.in-addr.arpa
                                      dns
                                      144 B
                                       146 B
                                       2
                                      1

                                      DNS Request

                                      212.20.149.52.in-addr.arpa

                                      DNS Request

                                      212.20.149.52.in-addr.arpa

                                    • 8.8.8.8:53
                                      15.164.165.52.in-addr.arpa
                                      dns
                                      72 B
                                       146 B
                                       1
                                      1

                                      DNS Request

                                      15.164.165.52.in-addr.arpa

                                    • 8.8.8.8:53
                                      172.214.232.199.in-addr.arpa
                                      dns
                                      74 B
                                       128 B
                                       1
                                      1

                                      DNS Request

                                      172.214.232.199.in-addr.arpa

                                    • 8.8.8.8:53

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Temp\qq_setup_21052\6f5810535a71dbfd6b10517a871dfd85e5e5f9c3c504e16910f5c5d97211df0e.exe
                                      Filesize

                                      654KB

                                      MD5

                                      7533d0576eead381d2502ad6ba854263

                                      SHA1

                                      63b84f4f40172bf6d61884d4739325373a43b93d

                                      SHA256

                                      6f5810535a71dbfd6b10517a871dfd85e5e5f9c3c504e16910f5c5d97211df0e

                                      SHA512

                                      7b629e3ebe2cca4bbde06c672cfd414883f23f103ff0809b7453a8e873ca3d87ced8597412a7b7a9d5abb6cdfc51c940556ba77eef97e6f21d413d906421ac18

                                      Download Submit

                                    • C:\Windows\SYSTEM.INI
                                      Filesize

                                      257B

                                      MD5

                                      5b9188b9814f78b9b1b5a4a3094186c3

                                      SHA1

                                      0aeef96c42592c6df8479a848a375738c00ba8be

                                      SHA256

                                      d4ff3d3a68fc2c6eab88a23ae0dbd9027d14f1c6ebd12bc9f3565476553aba16

                                      SHA512

                                      a3444a5b77c4511791128f6dfce8bd9c2a4fcdd665a80925f465083944b4ea373ddae667c8a63df1aa6d83dd379f5320c8b480f5eebc395aa8eda8c3990c8566

                                      Download Submit

                                    • memory/2304-6-0x00000000023E0000-0x000000000349A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/2304-0-0x0000000000400000-0x00000000004A5000-memory.dmp

                                      Filesize

                                      660KB

                                      Download

                                    • memory/2304-13-0x00000000023E0000-0x000000000349A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/2304-11-0x0000000000400000-0x00000000004A5000-memory.dmp

                                      Filesize

                                      660KB

                                      Download

                                    • memory/2304-5-0x00000000023E0000-0x000000000349A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/2304-3-0x00000000023E0000-0x000000000349A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/4940-21-0x00000000009B0000-0x00000000009B2000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/4940-40-0x00000000009B0000-0x00000000009B2000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/4940-23-0x0000000002270000-0x000000000332A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/4940-22-0x00000000038B0000-0x00000000038B1000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/4940-14-0x0000000000400000-0x00000000004A5000-memory.dmp

                                      Filesize

                                      660KB

                                      Download

                                    • memory/4940-18-0x0000000002270000-0x000000000332A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/4940-20-0x0000000002270000-0x000000000332A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/4940-34-0x0000000002270000-0x000000000332A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/4940-36-0x0000000002270000-0x000000000332A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/4940-19-0x0000000002270000-0x000000000332A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/4940-39-0x0000000002270000-0x000000000332A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/4940-49-0x0000000000400000-0x00000000004A5000-memory.dmp

                                      Filesize

                                      660KB

                                      Download

                                    • memory/4940-35-0x0000000002270000-0x000000000332A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/4940-25-0x0000000002270000-0x000000000332A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/4940-24-0x0000000002270000-0x000000000332A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/4940-28-0x00000000009B0000-0x00000000009B2000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/4940-27-0x0000000002270000-0x000000000332A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/4940-26-0x00000000009B0000-0x00000000009B2000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    We care about your privacy.

                                    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.