Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0a9b5f9ee5...8N.dll

windows7-x64

10

0a9b5f9ee5...8N.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/12/2024, 22:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a9b5f9ee551c20981af20431d48f84cd0d189a42dc840904f3e66e27f2a1578N.dll

  • Size

    120KB

  • MD5

    6809d71ef46483a16816634399eda3c0

  • SHA1

    951d8503dc5eb2febd7738352ab73f8aa2a072ea

  • SHA256

    0a9b5f9ee551c20981af20431d48f84cd0d189a42dc840904f3e66e27f2a1578

  • SHA512

    8a44862f61a7e30229892fab6206f18eab2cf213e4ec4dd16ef443411bd24e55f2bfde5013387f72a2fcf24333571cd581aceb549a4b4bd23d39b8f0b6bc4798

  • SSDEEP

    3072:tK6ioXmfTybpc2pkjhDW/nm8GQUqx7dewAXC:cToXuTCmQiDcn5ndLGC

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 14 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:784
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:792
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:316
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
          1⤵
            PID:2656
          • C:\Windows\system32\sihost.exe
            sihost.exe
            1⤵
              PID:2664
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2772
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3556
                  • C:\Windows\system32\rundll32.exe
                    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a9b5f9ee551c20981af20431d48f84cd0d189a42dc840904f3e66e27f2a1578N.dll,#1
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2276
                    • C:\Windows\SysWOW64\rundll32.exe
                      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a9b5f9ee551c20981af20431d48f84cd0d189a42dc840904f3e66e27f2a1578N.dll,#1
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:4604
                      • C:\Users\Admin\AppData\Local\Temp\e579f7c.exe
                        C:\Users\Admin\AppData\Local\Temp\e579f7c.exe
                        4⤵
                        • Modifies firewall policy service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Enumerates connected drives
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:4868
                      • C:\Users\Admin\AppData\Local\Temp\e57a086.exe
                        C:\Users\Admin\AppData\Local\Temp\e57a086.exe
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:4212
                      • C:\Users\Admin\AppData\Local\Temp\e57caa3.exe
                        C:\Users\Admin\AppData\Local\Temp\e57caa3.exe
                        4⤵
                        • Modifies firewall policy service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Enumerates connected drives
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:2176
                      • C:\Users\Admin\AppData\Local\Temp\e57cab2.exe
                        C:\Users\Admin\AppData\Local\Temp\e57cab2.exe
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:2160
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3676
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3884
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:3972
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:4040
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:1016
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:4008
                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                              1⤵
                                PID:4788
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                1⤵
                                  PID:3668
                                • C:\Windows\system32\backgroundTaskHost.exe
                                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                  1⤵
                                    PID:2936

                                  Network

                                  • flag-us
                                    DNS
                                    241.150.49.20.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    241.150.49.20.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    72.32.126.40.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    72.32.126.40.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    95.221.229.192.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    95.221.229.192.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    196.249.167.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    196.249.167.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    212.20.149.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    212.20.149.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    171.39.242.20.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    171.39.242.20.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    107.12.20.2.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    107.12.20.2.in-addr.arpa
                                    IN PTR
                                    Response
                                    107.12.20.2.in-addr.arpa
                                    IN PTR
                                    a2-20-12-107deploystaticakamaitechnologiescom
                                  • flag-us
                                    DNS
                                    43.229.111.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    43.229.111.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  No results found
                                  • 8.8.8.8:53
                                    241.150.49.20.in-addr.arpa
                                    dns
                                    72 B
                                     158 B
                                     1
                                    1

                                    DNS Request

                                    241.150.49.20.in-addr.arpa

                                  • 8.8.8.8:53
                                    72.32.126.40.in-addr.arpa
                                    dns
                                    71 B
                                     157 B
                                     1
                                    1

                                    DNS Request

                                    72.32.126.40.in-addr.arpa

                                  • 8.8.8.8:53
                                    95.221.229.192.in-addr.arpa
                                    dns
                                    73 B
                                     144 B
                                     1
                                    1

                                    DNS Request

                                    95.221.229.192.in-addr.arpa

                                  • 8.8.8.8:53
                                    196.249.167.52.in-addr.arpa
                                    dns
                                    73 B
                                     147 B
                                     1
                                    1

                                    DNS Request

                                    196.249.167.52.in-addr.arpa

                                  • 8.8.8.8:53
                                    212.20.149.52.in-addr.arpa
                                    dns
                                    72 B
                                     146 B
                                     1
                                    1

                                    DNS Request

                                    212.20.149.52.in-addr.arpa

                                  • 8.8.8.8:53
                                    171.39.242.20.in-addr.arpa
                                    dns
                                    72 B
                                     158 B
                                     1
                                    1

                                    DNS Request

                                    171.39.242.20.in-addr.arpa

                                  • 8.8.8.8:53
                                    107.12.20.2.in-addr.arpa
                                    dns
                                    70 B
                                     133 B
                                     1
                                    1

                                    DNS Request

                                    107.12.20.2.in-addr.arpa

                                  • 8.8.8.8:53
                                    43.229.111.52.in-addr.arpa
                                    dns
                                    72 B
                                     158 B
                                     1
                                    1

                                    DNS Request

                                    43.229.111.52.in-addr.arpa

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\e579f7c.exe
                                    Filesize

                                    97KB

                                    MD5

                                    d816ac504664d18af73a18c0f8554ed0

                                    SHA1

                                    1b5716afa4de7b36aacce71a70d1091bcfe8f073

                                    SHA256

                                    babbf3f21e1ed39d49652fc04f831dff5fe45c0f2cad78e549a79d39726953c0

                                    SHA512

                                    563162b9c363be9478810c6ecad2499c4ba357c2158beb78e75ca90db933639313f04ae49ee379e27cc599eb499abe738dc9dbf6b545cfa9d2ebb24768147e28

                                    Download Submit

                                  • C:\Windows\SYSTEM.INI
                                    Filesize

                                    257B

                                    MD5

                                    5186da18411797fde01018fae771ff25

                                    SHA1

                                    3b170f16990ac04e65c7f948ec7bb88216b20c43

                                    SHA256

                                    3d1868e8b095eaa8da96d235d9c35bceb8ec38405ff1de40cf6976a4c00e3665

                                    SHA512

                                    2bc6713d0fb94a9911fb32d5f2559f5aa29e8aa060524936127885291f620a9ec93d7e8f4f390694626a8c950c21a8e3520339e9b69f6b8f1999539b00a2569d

                                    Download Submit

                                  • memory/2160-156-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/2176-157-0x00000000007F0000-0x00000000018AA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2176-158-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/2176-114-0x00000000007F0000-0x00000000018AA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4212-31-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/4212-97-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/4212-70-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4212-43-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4212-42-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/4212-44-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4604-0-0x0000000010000000-0x0000000010020000-memory.dmp

                                    Filesize

                                    128KB

                                    Download

                                  • memory/4604-27-0x00000000040E0000-0x00000000040E2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4604-52-0x00000000040E0000-0x00000000040E2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4604-17-0x00000000040E0000-0x00000000040E2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4604-14-0x0000000004700000-0x0000000004701000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/4604-13-0x00000000040E0000-0x00000000040E2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4868-38-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-61-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-36-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-35-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-34-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-37-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-32-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-39-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-25-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-9-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-16-0x0000000003E70000-0x0000000003E71000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/4868-45-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-10-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-56-0x0000000003520000-0x0000000003522000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4868-59-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-33-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-62-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-63-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-65-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-66-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-69-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-28-0x0000000003520000-0x0000000003522000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4868-72-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-78-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-93-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/4868-12-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-26-0x0000000003520000-0x0000000003522000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4868-8-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-11-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-6-0x0000000000760000-0x000000000181A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4868-4-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  We care about your privacy.

                                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.