Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/12/2024, 05:08
Static task
static1
Behavioral task
behavioral1
Sample
6bbf1bff8c2dd8396f4b3cd96993ed75ff7a9640a5a552fcd7db08314e0ac7b6N.dll
Resource
win7-20240903-en
General
-
Target
6bbf1bff8c2dd8396f4b3cd96993ed75ff7a9640a5a552fcd7db08314e0ac7b6N.dll
-
Size
120KB
-
MD5
52aba742b42a8b2c3f38d76c75a6e280
-
SHA1
278b6b7fee8401e18d69e5816a8784fd242b1ecc
-
SHA256
6bbf1bff8c2dd8396f4b3cd96993ed75ff7a9640a5a552fcd7db08314e0ac7b6
-
SHA512
3c4bb4e88403c09d7f85e30382ed48deff46256883660836e1f9e69910fd41d435402c9435779147c90d8bf868d5a18697bedec6adb2349999059023654b5380
-
SSDEEP
1536:2SVfsO/hVnR+EdiEIjy7W36Sx9tCxOCOwEdq+/mQSaY4tPjB9WGAq+868emufnNQ:ZzbR+EZH7c6S8Cq+OlB4tPdMGU8Y+2m
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76bebd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c0b0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c0b0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c0b0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76bebd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76bebd.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76bebd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c0b0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76bebd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c0b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c0b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c0b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76bebd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76bebd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76bebd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76bebd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c0b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76bebd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c0b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c0b0.exe -
Executes dropped EXE 3 IoCs
pid Process 2504 f76bebd.exe 2816 f76c0b0.exe 2648 f76dd35.exe -
Loads dropped DLL 6 IoCs
pid Process 2396 rundll32.exe 2396 rundll32.exe 2396 rundll32.exe 2396 rundll32.exe 2396 rundll32.exe 2396 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76bebd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c0b0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c0b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76bebd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76bebd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76bebd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c0b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c0b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76bebd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76bebd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76bebd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c0b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c0b0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c0b0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76bebd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c0b0.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f76bebd.exe File opened (read-only) \??\H: f76bebd.exe File opened (read-only) \??\T: f76bebd.exe File opened (read-only) \??\I: f76bebd.exe File opened (read-only) \??\J: f76bebd.exe File opened (read-only) \??\L: f76bebd.exe File opened (read-only) \??\G: f76bebd.exe File opened (read-only) \??\M: f76bebd.exe File opened (read-only) \??\N: f76bebd.exe File opened (read-only) \??\O: f76bebd.exe File opened (read-only) \??\S: f76bebd.exe File opened (read-only) \??\K: f76bebd.exe File opened (read-only) \??\P: f76bebd.exe File opened (read-only) \??\Q: f76bebd.exe File opened (read-only) \??\R: f76bebd.exe -
resource yara_rule behavioral1/memory/2504-16-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-20-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-22-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-21-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-19-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-23-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-18-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-15-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-17-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-14-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-60-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-61-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-62-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-63-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-65-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-66-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-67-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-68-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-69-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-83-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-85-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-105-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-107-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2504-149-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2816-155-0x0000000000920000-0x00000000019DA000-memory.dmp upx behavioral1/memory/2816-187-0x0000000000920000-0x00000000019DA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f76bebd.exe File created C:\Windows\f770f7b f76c0b0.exe File created C:\Windows\f76bf1b f76bebd.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76bebd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c0b0.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2504 f76bebd.exe 2504 f76bebd.exe 2816 f76c0b0.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2504 f76bebd.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe Token: SeDebugPrivilege 2816 f76c0b0.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2396 2384 rundll32.exe 30 PID 2384 wrote to memory of 2396 2384 rundll32.exe 30 PID 2384 wrote to memory of 2396 2384 rundll32.exe 30 PID 2384 wrote to memory of 2396 2384 rundll32.exe 30 PID 2384 wrote to memory of 2396 2384 rundll32.exe 30 PID 2384 wrote to memory of 2396 2384 rundll32.exe 30 PID 2384 wrote to memory of 2396 2384 rundll32.exe 30 PID 2396 wrote to memory of 2504 2396 rundll32.exe 31 PID 2396 wrote to memory of 2504 2396 rundll32.exe 31 PID 2396 wrote to memory of 2504 2396 rundll32.exe 31 PID 2396 wrote to memory of 2504 2396 rundll32.exe 31 PID 2504 wrote to memory of 1112 2504 f76bebd.exe 19 PID 2504 wrote to memory of 1160 2504 f76bebd.exe 20 PID 2504 wrote to memory of 1196 2504 f76bebd.exe 21 PID 2504 wrote to memory of 1496 2504 f76bebd.exe 25 PID 2504 wrote to memory of 2384 2504 f76bebd.exe 29 PID 2504 wrote to memory of 2396 2504 f76bebd.exe 30 PID 2504 wrote to memory of 2396 2504 f76bebd.exe 30 PID 2396 wrote to memory of 2816 2396 rundll32.exe 32 PID 2396 wrote to memory of 2816 2396 rundll32.exe 32 PID 2396 wrote to memory of 2816 2396 rundll32.exe 32 PID 2396 wrote to memory of 2816 2396 rundll32.exe 32 PID 2396 wrote to memory of 2648 2396 rundll32.exe 34 PID 2396 wrote to memory of 2648 2396 rundll32.exe 34 PID 2396 wrote to memory of 2648 2396 rundll32.exe 34 PID 2396 wrote to memory of 2648 2396 rundll32.exe 34 PID 2504 wrote to memory of 1112 2504 f76bebd.exe 19 PID 2504 wrote to memory of 1160 2504 f76bebd.exe 20 PID 2504 wrote to memory of 1196 2504 f76bebd.exe 21 PID 2504 wrote to memory of 1496 2504 f76bebd.exe 25 PID 2504 wrote to memory of 2816 2504 f76bebd.exe 32 PID 2504 wrote to memory of 2816 2504 f76bebd.exe 32 PID 2504 wrote to memory of 2648 2504 f76bebd.exe 34 PID 2504 wrote to memory of 2648 2504 f76bebd.exe 34 PID 2816 wrote to memory of 1112 2816 f76c0b0.exe 19 PID 2816 wrote to memory of 1160 2816 f76c0b0.exe 20 PID 2816 wrote to memory of 1196 2816 f76c0b0.exe 21 PID 2816 wrote to memory of 1496 2816 f76c0b0.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76bebd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c0b0.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6bbf1bff8c2dd8396f4b3cd96993ed75ff7a9640a5a552fcd7db08314e0ac7b6N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6bbf1bff8c2dd8396f4b3cd96993ed75ff7a9640a5a552fcd7db08314e0ac7b6N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\f76bebd.exeC:\Users\Admin\AppData\Local\Temp\f76bebd.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2504
-
-
C:\Users\Admin\AppData\Local\Temp\f76c0b0.exeC:\Users\Admin\AppData\Local\Temp\f76c0b0.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2816
-
-
C:\Users\Admin\AppData\Local\Temp\f76dd35.exeC:\Users\Admin\AppData\Local\Temp\f76dd35.exe4⤵
- Executes dropped EXE
PID:2648
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1496
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5828bac87891702e0c22a73860f830d41
SHA1816ff91d93a2c00c9955907afe2c9d8a85f15d33
SHA256ba370dc23942922111eef29d8b88dd1e8f29e8b65ea799d2559ecea2bf9cbedf
SHA512527fd902d9af69781e0f4817235aae6a2ffc1e07822b948f57c417945be83e6d8b2678a5d763bb11f08c5a5e7b091ee4998d9c4894f240a6e95e5d27fb761e86
-
Filesize
97KB
MD57081ae3911b51dff0fbf5f06dab9479f
SHA110b5eea784175357fe1422fcd3da5e30be4ef2e0
SHA2569b863d39010871cfe52e1772b39a68bd2d8b1fadf96dfc2915802b3804545bf6
SHA512b75855a1216d8ab5ded03e776e194fe3d74b1ab4826eb6d3dc5fca53af82fc73a943490927c1dc1346286c4a2ce0b95d2a3ac20296d48af36f7bd793f03d534a