Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

8b8524e548...2N.exe

windows7-x64

10

8b8524e548...2N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2024, 23:45 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b8524e54816bd1590de8f444069250330309319e0997e25734b46301cc26922N.exe

  • Size

    144KB

  • MD5

    995f70a85c2afe169f5802a89b3754a0

  • SHA1

    71a73e26d080f73c9c4cb7abbc3f5c79ad51dc10

  • SHA256

    8b8524e54816bd1590de8f444069250330309319e0997e25734b46301cc26922

  • SHA512

    59cc5f45b5455585570f5506b0508d21888d4dbe5ce5c7b3ac2d986c090e4fb9bd565cad701816ff06cd9ebf494715245642929d83d3930d46dd43b9a1aa58e9

  • SSDEEP

    3072:OZu2Vgc0B4TBTiEhL3s3YascgZaTt7cfGQzpzvSOq:OZX6WNOEtQYagUtAfGQzRe

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1056
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1072
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1172
          • C:\Users\Admin\AppData\Local\Temp\8b8524e54816bd1590de8f444069250330309319e0997e25734b46301cc26922N.exe
            "C:\Users\Admin\AppData\Local\Temp\8b8524e54816bd1590de8f444069250330309319e0997e25734b46301cc26922N.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Disables RegEdit via registry modification
            • Windows security modification
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2188
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c Tools\init.cmd "C:\Users\Admin\AppData\Local\Temp\bin\Tools\run.hta"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:3048
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\bin\Tools\run.hta"
              3⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              PID:2604
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1412

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Replication Through Removable Media

          1
          T1091

          Execution

          Persistence

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          4
          T1562

          Disable or Modify System Firewall

          1
          T1562.004

          Disable or Modify Tools

          3
          T1562.001

          Modify Registry

          6
          T1112

          Credential Access

          Discovery

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          1
          T1012

          System Information Discovery

          3
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Replication Through Removable Media

          1
          T1091

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • F:\dlil.exe
            Filesize

            100KB

            MD5

            69171bde4acde6976a10f04292ac474d

            SHA1

            68fdba09feb6056748a737a294a43bc23befab51

            SHA256

            b85f7e90c011555c4cecd0502c6a2290a328e81ed5119051f2ec72320f339bfd

            SHA512

            f2a606de75be59e6ed20970bebcab682e1ac82531a247135f45bb2ef2b0839c4ccbd851d9d3978c6c7d0490d0282a4a7d0943d9b9468a5b60a0112bb2ee4cb9a

            Download Submit

          • memory/1056-14-0x0000000000500000-0x0000000000502000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2188-39-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-13-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-10-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-12-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-9-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-7-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-6-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-27-0x0000000000470000-0x0000000000472000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2188-26-0x0000000000470000-0x0000000000472000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2188-25-0x0000000000480000-0x0000000000481000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2188-23-0x0000000000480000-0x0000000000481000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2188-22-0x0000000000470000-0x0000000000472000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2188-1-0x00000000003C0000-0x00000000003E9000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2188-8-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-40-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-11-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-29-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-28-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-5-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-0-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2188-49-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-43-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-44-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-45-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-47-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-41-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-172-0x00000000003C0000-0x00000000003E9000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2188-171-0x00000000003C0000-0x00000000003E9000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2188-65-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2188-66-0x0000000000470000-0x0000000000472000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2188-68-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-70-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-71-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-74-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-76-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-78-0x0000000002530000-0x00000000035BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2188-2-0x00000000003C0000-0x00000000003E9000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2188-170-0x00000000003C0000-0x00000000003E9000-memory.dmp

            Filesize

            164KB

            Download

          • memory/2604-64-0x00000000034E0000-0x00000000034E2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2604-63-0x0000000003530000-0x0000000003531000-memory.dmp

            Filesize

            4KB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.