Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

654645d0e6...dN.dll

windows7-x64

10

654645d0e6...dN.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/12/2024, 00:39 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    654645d0e63f8111c2c8d34d4016c4a429e18865162204c7384541e6fb1330fdN.dll

  • Size

    120KB

  • MD5

    790dc15e1a2dbcf016963904499a8520

  • SHA1

    87786547ed264dcc5958ac4b207a45663fe43cca

  • SHA256

    654645d0e63f8111c2c8d34d4016c4a429e18865162204c7384541e6fb1330fd

  • SHA512

    09d0533f48f9d8d7e9e0dfc3e2c868245005ec32b19e97aeefa38fffa023d05fcb381dcb11535324ff72b220910346f219c6942b84127a02eb9af3118d77167e

  • SSDEEP

    1536:zr+6wOnMvsnZJjb2HXki8L2TkWZJVxUbVeessIaGiyLyxTJQp6tSDEDHfI:Hp6vSB2HtgHWZ3xUZedH2/9O6wD4

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 12 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:792
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:800
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:60
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2964
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:3024
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2636
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3436
                  • C:\Windows\system32\rundll32.exe
                    rundll32.exe C:\Users\Admin\AppData\Local\Temp\654645d0e63f8111c2c8d34d4016c4a429e18865162204c7384541e6fb1330fdN.dll,#1
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5052
                    • C:\Windows\SysWOW64\rundll32.exe
                      rundll32.exe C:\Users\Admin\AppData\Local\Temp\654645d0e63f8111c2c8d34d4016c4a429e18865162204c7384541e6fb1330fdN.dll,#1
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:2016
                      • C:\Users\Admin\AppData\Local\Temp\e5774a3.exe
                        C:\Users\Admin\AppData\Local\Temp\e5774a3.exe
                        4⤵
                        • Modifies firewall policy service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Enumerates connected drives
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:4828
                      • C:\Users\Admin\AppData\Local\Temp\e5776c6.exe
                        C:\Users\Admin\AppData\Local\Temp\e5776c6.exe
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:2004
                      • C:\Users\Admin\AppData\Local\Temp\e579f0f.exe
                        C:\Users\Admin\AppData\Local\Temp\e579f0f.exe
                        4⤵
                        • Modifies firewall policy service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Enumerates connected drives
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:4572
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3564
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3740
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:3840
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:3904
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:3992
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:4112
                            • C:\Windows\System32\RuntimeBroker.exe
                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                              1⤵
                                PID:2316
                              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                                1⤵
                                  PID:1800
                                • C:\Windows\system32\backgroundTaskHost.exe
                                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                  1⤵
                                    PID:1640

                                  Network

                                  • flag-us
                                    DNS
                                    196.249.167.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    196.249.167.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    172.210.232.199.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    172.210.232.199.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    69.31.126.40.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    69.31.126.40.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    95.221.229.192.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    95.221.229.192.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    28.118.140.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    28.118.140.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    58.55.71.13.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    58.55.71.13.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    56.163.245.4.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    56.163.245.4.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    241.42.69.40.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    241.42.69.40.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    30.243.111.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    30.243.111.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  No results found
                                  • 8.8.8.8:53
                                    196.249.167.52.in-addr.arpa
                                    dns
                                    73 B
                                     147 B
                                     1
                                    1

                                    DNS Request

                                    196.249.167.52.in-addr.arpa

                                  • 8.8.8.8:53
                                    172.210.232.199.in-addr.arpa
                                    dns
                                    74 B
                                     128 B
                                     1
                                    1

                                    DNS Request

                                    172.210.232.199.in-addr.arpa

                                  • 8.8.8.8:53
                                    69.31.126.40.in-addr.arpa
                                    dns
                                    71 B
                                     157 B
                                     1
                                    1

                                    DNS Request

                                    69.31.126.40.in-addr.arpa

                                  • 8.8.8.8:53
                                    95.221.229.192.in-addr.arpa
                                    dns
                                    73 B
                                     144 B
                                     1
                                    1

                                    DNS Request

                                    95.221.229.192.in-addr.arpa

                                  • 8.8.8.8:53
                                    28.118.140.52.in-addr.arpa
                                    dns
                                    72 B
                                     158 B
                                     1
                                    1

                                    DNS Request

                                    28.118.140.52.in-addr.arpa

                                  • 8.8.8.8:53
                                    58.55.71.13.in-addr.arpa
                                    dns
                                    70 B
                                     144 B
                                     1
                                    1

                                    DNS Request

                                    58.55.71.13.in-addr.arpa

                                  • 8.8.8.8:53
                                    56.163.245.4.in-addr.arpa
                                    dns
                                    71 B
                                     157 B
                                     1
                                    1

                                    DNS Request

                                    56.163.245.4.in-addr.arpa

                                  • 8.8.8.8:53
                                    241.42.69.40.in-addr.arpa
                                    dns
                                    71 B
                                     145 B
                                     1
                                    1

                                    DNS Request

                                    241.42.69.40.in-addr.arpa

                                  • 8.8.8.8:53
                                    30.243.111.52.in-addr.arpa
                                    dns
                                    72 B
                                     158 B
                                     1
                                    1

                                    DNS Request

                                    30.243.111.52.in-addr.arpa

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\e5774a3.exe
                                    Filesize

                                    97KB

                                    MD5

                                    8d9158a452f25b00b23bf24c12aba973

                                    SHA1

                                    15f6e0d90369baf96915e63824e93505f9cd90f9

                                    SHA256

                                    8cdc190d8c5f59844dae0893a10ae105ec03d198da026b157ca217fe29d9cb52

                                    SHA512

                                    1a58a02b22bd6549be93f4613915557b8e7553cc2722e51e9af7ecbb88427f8c5eb156cc176fa1c40031cc16e5f2609336b6d846fc6a3120ec97d628259a0366

                                    Download Submit

                                  • C:\Windows\SYSTEM.INI
                                    Filesize

                                    257B

                                    MD5

                                    316afbdf3fe55c30aff404818af73f2c

                                    SHA1

                                    ba5ec5c6be441a767ec23100b4fac1672dd7f466

                                    SHA256

                                    f5a13b3d512a1fb4acf8fbc4df7a60ba4e235bd79de07afc6ea3b639473f0d02

                                    SHA512

                                    ad23518b490015b422b9c38d3d7bb08094602dedea5b2632f4fc0bd0dd4a84081c2c1c72917aebab796118bd8266b5f1fc048109f3e54c4677802756597a8d67

                                    Download Submit

                                  • memory/2004-44-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/2004-32-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/2004-50-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/2004-85-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/2004-42-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/2016-12-0x0000000000D50000-0x0000000000D52000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/2016-13-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/2016-0-0x0000000010000000-0x0000000010020000-memory.dmp

                                    Filesize

                                    128KB

                                    Download

                                  • memory/2016-16-0x0000000000D50000-0x0000000000D52000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/2016-26-0x0000000000D50000-0x0000000000D52000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4572-91-0x00000000007D0000-0x000000000188A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4572-107-0x00000000007D0000-0x000000000188A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4572-93-0x00000000007D0000-0x000000000188A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4572-51-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/4572-142-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/4572-141-0x00000000007D0000-0x000000000188A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-36-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-55-0x00000000005F0000-0x00000000005F2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4828-34-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-35-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-24-0x00000000005F0000-0x00000000005F2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4828-37-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-38-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-15-0x0000000003D30000-0x0000000003D31000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/4828-33-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-27-0x00000000005F0000-0x00000000005F2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4828-10-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-39-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-54-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-8-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-56-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-58-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-60-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-61-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-62-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-65-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-84-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/4828-11-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-31-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-25-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-30-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-9-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-6-0x0000000000850000-0x000000000190A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/4828-4-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  We care about your privacy.

                                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.