Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/12/2024, 14:07
Static task
static1
Behavioral task
behavioral1
Sample
c52509f0fd2a0d02f79feca22c3c50d8b6a90e316e5f46b3b6a16fd925bd971d.dll
Resource
win7-20240903-en
General
-
Target
c52509f0fd2a0d02f79feca22c3c50d8b6a90e316e5f46b3b6a16fd925bd971d.dll
-
Size
120KB
-
MD5
9dcdca614d8517d442fc455925c83a5b
-
SHA1
117697cb3921f5f8ce903420181bdc348e2fbb88
-
SHA256
c52509f0fd2a0d02f79feca22c3c50d8b6a90e316e5f46b3b6a16fd925bd971d
-
SHA512
9abe1123b3fb495e718e3b755f95769cb761e9f32a48683fea1ccd44498be3fb39b708f5ef35dfa0d3e83c24596eecf0eba7a62c77892c8a79da923974b8d5f9
-
SSDEEP
3072:BPecF/pvjQ4U7rHnHEGaIu6/i7oC/QSfg1x:BPecFBMPHHHEGaIL/i7PIOm
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76beec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e060.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e060.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76beec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76beec.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76beec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e060.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76beec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76beec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76beec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76beec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76beec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76beec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e060.exe -
Executes dropped EXE 3 IoCs
pid Process 2308 f76beec.exe 2716 f76c091.exe 1688 f76e060.exe -
Loads dropped DLL 6 IoCs
pid Process 2392 rundll32.exe 2392 rundll32.exe 2392 rundll32.exe 2392 rundll32.exe 2392 rundll32.exe 2392 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76beec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76beec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76beec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76beec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76beec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76beec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76beec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e060.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76beec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e060.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: f76beec.exe File opened (read-only) \??\H: f76e060.exe File opened (read-only) \??\G: f76beec.exe File opened (read-only) \??\J: f76beec.exe File opened (read-only) \??\M: f76beec.exe File opened (read-only) \??\T: f76beec.exe File opened (read-only) \??\E: f76e060.exe File opened (read-only) \??\O: f76beec.exe File opened (read-only) \??\Q: f76beec.exe File opened (read-only) \??\H: f76beec.exe File opened (read-only) \??\I: f76beec.exe File opened (read-only) \??\L: f76beec.exe File opened (read-only) \??\R: f76beec.exe File opened (read-only) \??\S: f76beec.exe File opened (read-only) \??\G: f76e060.exe File opened (read-only) \??\E: f76beec.exe File opened (read-only) \??\K: f76beec.exe File opened (read-only) \??\N: f76beec.exe -
resource yara_rule behavioral1/memory/2308-18-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-22-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-20-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-17-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-24-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-23-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-21-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-26-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-19-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-15-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-25-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-64-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-63-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-65-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-66-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-68-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-69-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-70-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-71-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-72-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-88-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-89-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2308-157-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/1688-174-0x0000000000920000-0x00000000019DA000-memory.dmp upx behavioral1/memory/1688-215-0x0000000000920000-0x00000000019DA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76bf2a f76beec.exe File opened for modification C:\Windows\SYSTEM.INI f76beec.exe File created C:\Windows\f771036 f76e060.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76e060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76beec.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2308 f76beec.exe 2308 f76beec.exe 1688 f76e060.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 2308 f76beec.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe Token: SeDebugPrivilege 1688 f76e060.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2392 2384 rundll32.exe 30 PID 2384 wrote to memory of 2392 2384 rundll32.exe 30 PID 2384 wrote to memory of 2392 2384 rundll32.exe 30 PID 2384 wrote to memory of 2392 2384 rundll32.exe 30 PID 2384 wrote to memory of 2392 2384 rundll32.exe 30 PID 2384 wrote to memory of 2392 2384 rundll32.exe 30 PID 2384 wrote to memory of 2392 2384 rundll32.exe 30 PID 2392 wrote to memory of 2308 2392 rundll32.exe 31 PID 2392 wrote to memory of 2308 2392 rundll32.exe 31 PID 2392 wrote to memory of 2308 2392 rundll32.exe 31 PID 2392 wrote to memory of 2308 2392 rundll32.exe 31 PID 2308 wrote to memory of 1112 2308 f76beec.exe 19 PID 2308 wrote to memory of 1160 2308 f76beec.exe 20 PID 2308 wrote to memory of 1196 2308 f76beec.exe 21 PID 2308 wrote to memory of 1496 2308 f76beec.exe 25 PID 2308 wrote to memory of 2384 2308 f76beec.exe 29 PID 2308 wrote to memory of 2392 2308 f76beec.exe 30 PID 2308 wrote to memory of 2392 2308 f76beec.exe 30 PID 2392 wrote to memory of 2716 2392 rundll32.exe 32 PID 2392 wrote to memory of 2716 2392 rundll32.exe 32 PID 2392 wrote to memory of 2716 2392 rundll32.exe 32 PID 2392 wrote to memory of 2716 2392 rundll32.exe 32 PID 2392 wrote to memory of 1688 2392 rundll32.exe 34 PID 2392 wrote to memory of 1688 2392 rundll32.exe 34 PID 2392 wrote to memory of 1688 2392 rundll32.exe 34 PID 2392 wrote to memory of 1688 2392 rundll32.exe 34 PID 2308 wrote to memory of 1112 2308 f76beec.exe 19 PID 2308 wrote to memory of 1160 2308 f76beec.exe 20 PID 2308 wrote to memory of 1196 2308 f76beec.exe 21 PID 2308 wrote to memory of 1496 2308 f76beec.exe 25 PID 2308 wrote to memory of 2716 2308 f76beec.exe 32 PID 2308 wrote to memory of 2716 2308 f76beec.exe 32 PID 2308 wrote to memory of 1688 2308 f76beec.exe 34 PID 2308 wrote to memory of 1688 2308 f76beec.exe 34 PID 1688 wrote to memory of 1112 1688 f76e060.exe 19 PID 1688 wrote to memory of 1160 1688 f76e060.exe 20 PID 1688 wrote to memory of 1196 1688 f76e060.exe 21 PID 1688 wrote to memory of 1496 1688 f76e060.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76beec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e060.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c52509f0fd2a0d02f79feca22c3c50d8b6a90e316e5f46b3b6a16fd925bd971d.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c52509f0fd2a0d02f79feca22c3c50d8b6a90e316e5f46b3b6a16fd925bd971d.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\f76beec.exeC:\Users\Admin\AppData\Local\Temp\f76beec.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2308
-
-
C:\Users\Admin\AppData\Local\Temp\f76c091.exeC:\Users\Admin\AppData\Local\Temp\f76c091.exe4⤵
- Executes dropped EXE
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\f76e060.exeC:\Users\Admin\AppData\Local\Temp\f76e060.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1688
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1496
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5828bac87891702e0c22a73860f830d41
SHA1816ff91d93a2c00c9955907afe2c9d8a85f15d33
SHA256ba370dc23942922111eef29d8b88dd1e8f29e8b65ea799d2559ecea2bf9cbedf
SHA512527fd902d9af69781e0f4817235aae6a2ffc1e07822b948f57c417945be83e6d8b2678a5d763bb11f08c5a5e7b091ee4998d9c4894f240a6e95e5d27fb761e86
-
Filesize
97KB
MD5d8c0dbfff9cae8e002f0555fcb880648
SHA179f13f3ff82ac4caba479441ed293874e37f2d58
SHA256bddf45ce9d131f18f8f72d256651f5b4f6b1da58360b79eeb49fdc6a3a6c0057
SHA51209dd4911e7e91ff01346cbe900f1bb3d85b0e05277ca7bce6b5fbf2bd80d37190d39845e3e4854e7a276199c7d892e1703a2e6c97ac223e08420486ba513bf39