Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
28s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22/12/2024, 22:56
General
-
Target
5f12d96a700da406b98aa81af3a49b840d4b7b4f5c22927cc5f1d09f84e0eabb.dll
-
Size
120KB
-
MD5
6dd34b6774b2ad47ba939b0a54519978
-
SHA1
1bbe5ed956778c909c6ab5310251e9cfd1112922
-
SHA256
5f12d96a700da406b98aa81af3a49b840d4b7b4f5c22927cc5f1d09f84e0eabb
-
SHA512
5720da0d6d13419f3af162518ba112b325990253676af24371dfa1c7cfd60014c282338dbd49647a7789d78491a78fbba4c8515a8e667a68cf057683b63cf582
-
SSDEEP
1536:cX/Fm6fj72EcUFcBFYMddI8eXRKdEyadXPqXUV9gKJ4v2yNIwKdWKn3w:w/F5it2cBOaI/RKbitgfKdd
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f12d96a700da406b98aa81af3a49b840d4b7b4f5c22927cc5f1d09f84e0eabb.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f12d96a700da406b98aa81af3a49b840d4b7b4f5c22927cc5f1d09f84e0eabb.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f77dcf7.exeC:\Users\Admin\AppData\Local\Temp\f77dcf7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f77dfa5.exeC:\Users\Admin\AppData\Local\Temp\f77dfa5.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f77f788.exeC:\Users\Admin\AppData\Local\Temp\f77f788.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD58d85c8d235984020cae11eae9fc789de
SHA13a8e6c654d21c325bf01e650a6f6e52a9ce31bea
SHA2566f026a9a6a58d0182badcf28d8de79c8ccb8a66a28f7042a3367b1030a095db0
SHA5121a78ac7f7fcc05e7fa464afbce3485581cb09853e9af40219ad9694c96b67497506592d912e6a86c2ca5fc37eac3c3279acec5a6f5d0a0251100428ff5115b9d
-
Filesize
97KB
MD58bad2d78015be27e173496ab2031439b
SHA17e2ef9ad8fa1babd9f09b36d04336bb62fd8377b
SHA2562cc4af7da4b47d40ce8b4e0073c94e22c4450eea31e322fbd0485b9980ed6622
SHA5127e55b69c04e111e44f381791bc8dd73d23908f85a167d4f665e5de20e656e8f5e68ec614777699a483c2956608aeec65859bf68417bb53a1b7db1c4451eb8f88
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
24KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB