Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
27s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
16/12/2024, 04:30
General
-
Target
d2cbd749f8985550ad9d83189a91abf8814f6fa8d4dcffa46d4251a362309c84N.dll
-
Size
120KB
-
MD5
c3005c2e5968f83c067e4b4a226fb5e0
-
SHA1
792d0d7346348c48d104baa24d8d87d8fb041e6b
-
SHA256
d2cbd749f8985550ad9d83189a91abf8814f6fa8d4dcffa46d4251a362309c84
-
SHA512
7131b4c37c1619b336aba4578e9f64f1e0a70d4371cb9f5116f5011fb9916b1c983a9124f1bb27f08c040b377cac0ee66fb38e8126cad9e620ff3231e705b121
-
SSDEEP
1536:yMnMxp9dFG0mAlIpqPS552jdL+kdv/AUWPe9YNIQzsmk9X7cDaAzyjWF0eJ8pze:4z+pAS55kdL92Us85X7MVkWF0a
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2cbd749f8985550ad9d83189a91abf8814f6fa8d4dcffa46d4251a362309c84N.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2cbd749f8985550ad9d83189a91abf8814f6fa8d4dcffa46d4251a362309c84N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f78257b.exeC:\Users\Admin\AppData\Local\Temp\f78257b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f78280a.exeC:\Users\Admin\AppData\Local\Temp\f78280a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f783f51.exeC:\Users\Admin\AppData\Local\Temp\f783f51.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5bcb59c17cef081f9b43771715f3d5620
SHA1328e90dc25d1e1b333b72c004237f36783b10fb3
SHA2567a7097c79bed441320ac02acb31bc57760fb55914ff3773862202c23fbb212b2
SHA512346126084a4aeee3fe5b4197d6637075b7bb72fb6ae020c5dc5b38fb0c0ee42b025ea97722b4b476621a31cbea57eecd7c14d51ee4a443e9ab682e5160b4ed3a
-
Filesize
97KB
MD57335b3a8bf55a851cd3a207970b2eca4
SHA1a004eeabcab093235b981d259969a609d0edb8e8
SHA2567da9e795f53f69134d9bbd3e498c3b187eeeb020562f69b9693dcc30125df120
SHA5122fba674bbe677e4da415b407d4e5a63654609394d8d4772ba324ffc4922eade250b209e58879623a59915f2804243d8fe534ef3a597f052ad4de0b671d5f1e8c
-
Filesize
8KB
-
Filesize
24KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB