Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
27s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 23:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1449e0c9ea92fce920f70366d23a269d9b3d9c3678096512d1e9507675e6e4e9N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
1449e0c9ea92fce920f70366d23a269d9b3d9c3678096512d1e9507675e6e4e9N.dll
-
Size
120KB
-
MD5
cbf72ccabc05bfff03562f8a0d7b2dd0
-
SHA1
d84872a95fdc323e9fa64e45ed4a317c762a33c3
-
SHA256
1449e0c9ea92fce920f70366d23a269d9b3d9c3678096512d1e9507675e6e4e9
-
SHA512
8161a3a7f9afe2a180cb44ac1ef2ae64e2b6bc6d504fda032177aaf43ebae361dce0c9be86c6f67c10d9e8468bfe429f221ff614c2bd4aa0690c2cee789cdc49
-
SSDEEP
3072:tcrC5kyNGTSps1tlNooeYLzLlPGQlmb5n:t0CqyouaD/oyLz8
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f769af8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f769af8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f767f4d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f767f4d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f767f4d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f769af8.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769af8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769af8.exe -
Executes dropped EXE 3 IoCs
pid Process 2344 f767f4d.exe 1540 f768150.exe 2588 f769af8.exe -
Loads dropped DLL 6 IoCs
pid Process 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767f4d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f767f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767f4d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f769af8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769af8.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f767f4d.exe File opened (read-only) \??\K: f767f4d.exe File opened (read-only) \??\N: f767f4d.exe File opened (read-only) \??\S: f767f4d.exe File opened (read-only) \??\Q: f767f4d.exe File opened (read-only) \??\R: f767f4d.exe File opened (read-only) \??\J: f767f4d.exe File opened (read-only) \??\L: f767f4d.exe File opened (read-only) \??\M: f767f4d.exe File opened (read-only) \??\P: f767f4d.exe File opened (read-only) \??\O: f767f4d.exe File opened (read-only) \??\G: f767f4d.exe File opened (read-only) \??\H: f767f4d.exe File opened (read-only) \??\I: f767f4d.exe File opened (read-only) \??\E: f769af8.exe -
resource yara_rule behavioral1/memory/2344-11-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-15-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-17-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-14-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-16-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-21-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-20-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-19-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-18-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-13-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-57-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-58-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-59-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-61-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-60-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-63-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-64-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-79-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-81-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-82-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2344-147-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2588-173-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2588-200-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f767fab f767f4d.exe File opened for modification C:\Windows\SYSTEM.INI f767f4d.exe File created C:\Windows\f76d079 f769af8.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f767f4d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f769af8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2344 f767f4d.exe 2344 f767f4d.exe 2588 f769af8.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2344 f767f4d.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe Token: SeDebugPrivilege 2588 f769af8.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2120 2380 rundll32.exe 30 PID 2380 wrote to memory of 2120 2380 rundll32.exe 30 PID 2380 wrote to memory of 2120 2380 rundll32.exe 30 PID 2380 wrote to memory of 2120 2380 rundll32.exe 30 PID 2380 wrote to memory of 2120 2380 rundll32.exe 30 PID 2380 wrote to memory of 2120 2380 rundll32.exe 30 PID 2380 wrote to memory of 2120 2380 rundll32.exe 30 PID 2120 wrote to memory of 2344 2120 rundll32.exe 31 PID 2120 wrote to memory of 2344 2120 rundll32.exe 31 PID 2120 wrote to memory of 2344 2120 rundll32.exe 31 PID 2120 wrote to memory of 2344 2120 rundll32.exe 31 PID 2344 wrote to memory of 1124 2344 f767f4d.exe 19 PID 2344 wrote to memory of 1176 2344 f767f4d.exe 20 PID 2344 wrote to memory of 1224 2344 f767f4d.exe 21 PID 2344 wrote to memory of 900 2344 f767f4d.exe 25 PID 2344 wrote to memory of 2380 2344 f767f4d.exe 29 PID 2344 wrote to memory of 2120 2344 f767f4d.exe 30 PID 2344 wrote to memory of 2120 2344 f767f4d.exe 30 PID 2120 wrote to memory of 1540 2120 rundll32.exe 32 PID 2120 wrote to memory of 1540 2120 rundll32.exe 32 PID 2120 wrote to memory of 1540 2120 rundll32.exe 32 PID 2120 wrote to memory of 1540 2120 rundll32.exe 32 PID 2120 wrote to memory of 2588 2120 rundll32.exe 33 PID 2120 wrote to memory of 2588 2120 rundll32.exe 33 PID 2120 wrote to memory of 2588 2120 rundll32.exe 33 PID 2120 wrote to memory of 2588 2120 rundll32.exe 33 PID 2344 wrote to memory of 1124 2344 f767f4d.exe 19 PID 2344 wrote to memory of 1176 2344 f767f4d.exe 20 PID 2344 wrote to memory of 1224 2344 f767f4d.exe 21 PID 2344 wrote to memory of 900 2344 f767f4d.exe 25 PID 2344 wrote to memory of 1540 2344 f767f4d.exe 32 PID 2344 wrote to memory of 1540 2344 f767f4d.exe 32 PID 2344 wrote to memory of 2588 2344 f767f4d.exe 33 PID 2344 wrote to memory of 2588 2344 f767f4d.exe 33 PID 2588 wrote to memory of 1124 2588 f769af8.exe 19 PID 2588 wrote to memory of 1176 2588 f769af8.exe 20 PID 2588 wrote to memory of 1224 2588 f769af8.exe 21 PID 2588 wrote to memory of 900 2588 f769af8.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767f4d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769af8.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1124
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1224
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1449e0c9ea92fce920f70366d23a269d9b3d9c3678096512d1e9507675e6e4e9N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1449e0c9ea92fce920f70366d23a269d9b3d9c3678096512d1e9507675e6e4e9N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\f767f4d.exeC:\Users\Admin\AppData\Local\Temp\f767f4d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2344
-
-
C:\Users\Admin\AppData\Local\Temp\f768150.exeC:\Users\Admin\AppData\Local\Temp\f768150.exe4⤵
- Executes dropped EXE
PID:1540
-
-
C:\Users\Admin\AppData\Local\Temp\f769af8.exeC:\Users\Admin\AppData\Local\Temp\f769af8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2588
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:900
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5292d74418915469fea058c4d1d79825c
SHA1ba7d8aa11b40d63a2d7c2e4c028de31f05a88d3b
SHA256e6be49a0f6a6569a4d844417d2ffe08081c0bb35476a1e7e8460ccbd8f3d1f85
SHA51260946e0c3030f2f402d8cd837fda50411ca301e463d4005212ce9c813871bc5fb614662cee3532c15fad5ad7b5452509bcb5dcbe76dd654fd2a8f9d64f8c1e8e
-
Filesize
97KB
MD5133bdf1c810fe6dd7efad7dbd99985df
SHA18c75f4d21af545952ba15b54a783b75d91772f47
SHA2560831c7f4f85f10f2e9dca492faae1fffb4cf5cd093a141d39918852a7eeb5049
SHA512d2fb3f514efa94f40c1d90ecdf9268791e58b7920dbeb2550268d24f984f16bfbe4049b60cb9e7f4684a2767ec5dcea5c456ca97a3639c8bd764b42ab7d01720