Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22/12/2024, 02:10 UTC
General
-
Target
260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe
-
Size
97KB
-
MD5
9bddf6ec69a9081b94365b9cee904b10
-
SHA1
74427f9b609f67ac096587aa4ebbfcccad7f4ef8
-
SHA256
260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271
-
SHA512
e0e810722d0196c0a3aa576a1adaf1411541876259996951c7da33a6f38852e5b477d2c0a6bd0ed80d6acb83cbc73cd7ed0841e9c2d79a0ce2295818a4368439
-
SSDEEP
3072:xSUti6Rj6Yxq2hb/uxehD8EEjsYHjxQd:xN0YQeuxCDrYDG
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
UPX packed file 42 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe"C:\Users\Admin\AppData\Local\Temp\260abc2435e2cb17f40b827f26a3481ef598456bab81c6160b4aebb7b12b9271N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
Network
-
DNS104.219.191.52.in-addr.arpaRemote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse -
DNS172.214.232.199.in-addr.arpaRemote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
DNS22.160.190.20.in-addr.arpaRemote address:8.8.8.8:53Request22.160.190.20.in-addr.arpaIN PTRResponse
-
DNS95.221.229.192.in-addr.arpaRemote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
DNS154.239.44.20.in-addr.arpaRemote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
DNS50.23.12.20.in-addr.arpaRemote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
DNS198.187.3.20.in-addr.arpaRemote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
DNS19.229.111.52.in-addr.arpaRemote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
8.8.8.8:53104.219.191.52.in-addr.arpadns
DNS Request
104.219.191.52.in-addr.arpa
-
8.8.8.8:53172.214.232.199.in-addr.arpadns
DNS Request
172.214.232.199.in-addr.arpa
-
8.8.8.8:5322.160.190.20.in-addr.arpadns
DNS Request
22.160.190.20.in-addr.arpa
-
8.8.8.8:5395.221.229.192.in-addr.arpadns
DNS Request
95.221.229.192.in-addr.arpa
-
8.8.8.8:53154.239.44.20.in-addr.arpadns
DNS Request
154.239.44.20.in-addr.arpa
-
8.8.8.8:5350.23.12.20.in-addr.arpadns
DNS Request
50.23.12.20.in-addr.arpa
-
8.8.8.8:53198.187.3.20.in-addr.arpadns
DNS Request
198.187.3.20.in-addr.arpa
-
8.8.8.8:5319.229.111.52.in-addr.arpadns
DNS Request
19.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e8a978c510606e105f7fd4eb37144781
SHA18f23bdbfbd5502c1e07534dcab8559f1dff64f4c
SHA256f722198422f6a16c565fdfb5b6d88fe697a7ba00205c1e60d0c708c21fe3e26d
SHA5123f701602b9038e1621f6dff5824a5a8cd4d61570cd3f2fda4c578478639d4edcc72f828352496cdb708a2ef0dadb51c3854a20bcbb5cb3ec584cc45831f444e1
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB