Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17/12/2024, 09:24
Static task
static1
Behavioral task
behavioral1
Sample
8797f766ea316faea6d94333d1f57e60193d63da5148cb4bf31d8f55f9c16ed0.dll
Resource
win7-20241010-en
General
-
Target
8797f766ea316faea6d94333d1f57e60193d63da5148cb4bf31d8f55f9c16ed0.dll
-
Size
120KB
-
MD5
dc2dd583bef09c623ecd14184fd2dfad
-
SHA1
ea1e34bc6f21389f893f654990c7d050de3b28ae
-
SHA256
8797f766ea316faea6d94333d1f57e60193d63da5148cb4bf31d8f55f9c16ed0
-
SHA512
67ef791b753935e67ae607325cc132492806c3f5a75a258f93a761abae28d2fe98deebb3245477447959d238afde672cf5cca6366b2e92e324fc64e5a81ae11a
-
SSDEEP
3072:WmXyEbYH27rTCSLubNkfumapbvn0bTrWR:W/NzP7jn0bTrWR
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e206.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e206.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e206.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76dff3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76dff3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76dff3.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76dff3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e206.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76dff3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76dff3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76dff3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e206.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e206.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e206.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76dff3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76dff3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76dff3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e206.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e206.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e206.exe -
Executes dropped EXE 3 IoCs
pid Process 2540 f76dff3.exe 2640 f76e206.exe 2652 f76fa37.exe -
Loads dropped DLL 6 IoCs
pid Process 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e206.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e206.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e206.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76dff3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76dff3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e206.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e206.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e206.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e206.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76dff3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76dff3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76dff3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76dff3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76dff3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76dff3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e206.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: f76dff3.exe File opened (read-only) \??\N: f76dff3.exe File opened (read-only) \??\Q: f76dff3.exe File opened (read-only) \??\R: f76dff3.exe File opened (read-only) \??\E: f76dff3.exe File opened (read-only) \??\G: f76dff3.exe File opened (read-only) \??\H: f76dff3.exe File opened (read-only) \??\I: f76dff3.exe File opened (read-only) \??\K: f76dff3.exe File opened (read-only) \??\L: f76dff3.exe File opened (read-only) \??\M: f76dff3.exe File opened (read-only) \??\O: f76dff3.exe File opened (read-only) \??\P: f76dff3.exe -
resource yara_rule behavioral1/memory/2540-18-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-12-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-14-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-15-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-20-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-39-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-19-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-40-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-17-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-41-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-63-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-64-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-65-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-66-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-67-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-69-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-84-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-85-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-87-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-97-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-109-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2540-150-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2640-173-0x00000000009C0000-0x0000000001A7A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76e060 f76dff3.exe File opened for modification C:\Windows\SYSTEM.INI f76dff3.exe File created C:\Windows\f7730e0 f76e206.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76dff3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2540 f76dff3.exe 2540 f76dff3.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe Token: SeDebugPrivilege 2540 f76dff3.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2552 wrote to memory of 3032 2552 rundll32.exe 30 PID 2552 wrote to memory of 3032 2552 rundll32.exe 30 PID 2552 wrote to memory of 3032 2552 rundll32.exe 30 PID 2552 wrote to memory of 3032 2552 rundll32.exe 30 PID 2552 wrote to memory of 3032 2552 rundll32.exe 30 PID 2552 wrote to memory of 3032 2552 rundll32.exe 30 PID 2552 wrote to memory of 3032 2552 rundll32.exe 30 PID 3032 wrote to memory of 2540 3032 rundll32.exe 31 PID 3032 wrote to memory of 2540 3032 rundll32.exe 31 PID 3032 wrote to memory of 2540 3032 rundll32.exe 31 PID 3032 wrote to memory of 2540 3032 rundll32.exe 31 PID 2540 wrote to memory of 1264 2540 f76dff3.exe 19 PID 2540 wrote to memory of 1348 2540 f76dff3.exe 20 PID 2540 wrote to memory of 1408 2540 f76dff3.exe 21 PID 2540 wrote to memory of 1708 2540 f76dff3.exe 23 PID 2540 wrote to memory of 2552 2540 f76dff3.exe 29 PID 2540 wrote to memory of 3032 2540 f76dff3.exe 30 PID 2540 wrote to memory of 3032 2540 f76dff3.exe 30 PID 3032 wrote to memory of 2640 3032 rundll32.exe 33 PID 3032 wrote to memory of 2640 3032 rundll32.exe 33 PID 3032 wrote to memory of 2640 3032 rundll32.exe 33 PID 3032 wrote to memory of 2640 3032 rundll32.exe 33 PID 3032 wrote to memory of 2652 3032 rundll32.exe 34 PID 3032 wrote to memory of 2652 3032 rundll32.exe 34 PID 3032 wrote to memory of 2652 3032 rundll32.exe 34 PID 3032 wrote to memory of 2652 3032 rundll32.exe 34 PID 2540 wrote to memory of 1264 2540 f76dff3.exe 19 PID 2540 wrote to memory of 1348 2540 f76dff3.exe 20 PID 2540 wrote to memory of 1408 2540 f76dff3.exe 21 PID 2540 wrote to memory of 1708 2540 f76dff3.exe 23 PID 2540 wrote to memory of 2640 2540 f76dff3.exe 33 PID 2540 wrote to memory of 2640 2540 f76dff3.exe 33 PID 2540 wrote to memory of 2652 2540 f76dff3.exe 34 PID 2540 wrote to memory of 2652 2540 f76dff3.exe 34 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76dff3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e206.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1264
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1348
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1408
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8797f766ea316faea6d94333d1f57e60193d63da5148cb4bf31d8f55f9c16ed0.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8797f766ea316faea6d94333d1f57e60193d63da5148cb4bf31d8f55f9c16ed0.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\f76dff3.exeC:\Users\Admin\AppData\Local\Temp\f76dff3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\f76e206.exeC:\Users\Admin\AppData\Local\Temp\f76e206.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2640
-
-
C:\Users\Admin\AppData\Local\Temp\f76fa37.exeC:\Users\Admin\AppData\Local\Temp\f76fa37.exe4⤵
- Executes dropped EXE
PID:2652
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1708
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255B
MD594356e7bacaa56ef6c1088564633b547
SHA15e813f0c4ccbf51cb99fdb813cd4ba3f500cb907
SHA256a22094f287cf8e72fdcb43ba7bec2ed13c7e14bafae3c48c362f4fc3d70bfdfd
SHA51279110c7e430edd8b13ac50aa42f6cb06bc8ea4797fb9f178eaf71ce421eb028c58b3ce64fe572b3c6ad82e970e3409263d8eaa441e125fc4c2b45153c86f397e
-
Filesize
97KB
MD53130dd7bf71bcaaadef6ed643cd1964e
SHA12bcf1c550f95564c39e86eca8a3ae9722570e955
SHA2569211ed2ddb7a2c2dc822c8a2c1c28bd5b0818708a118fdf6e534ff6225843d02
SHA51223ce33879045cb03c3561ac264af16a85ea515c05c7456336a1b989203b4cde55d7f060a64bc0509ea5d6d920a72d945b60c15f78d94f9b927d4e5b84b971963