Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

82708651f1...75.dll

windows7-x64

10

82708651f1...75.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    33s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 15:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82708651f1bc3f6d6c594eb02f77774110aba1c0d85c19ac82f56af35b988175.dll

  • Size

    120KB

  • MD5

    005dddd4d453daf2c6e1dfcf5005a9b2

  • SHA1

    1036e2c9fc35288aaeafbf405598a8185788aa20

  • SHA256

    82708651f1bc3f6d6c594eb02f77774110aba1c0d85c19ac82f56af35b988175

  • SHA512

    5d3c06a8b81a5671b1b84fc179be8f45c64dcf2811cb3459b83e89aafbc4cb330a780a346e2b1c66fdde34f87444b297c601d08521833df16a741fc40c606c44

  • SSDEEP

    1536:BlO+6YXHf3lXPCUcg3u3ZDBaEM9FDhFOW2G8kutBUlF8QD7Zint9Q5ndQGD/Vhd:BZZHFC9gnEoF9J8kYUBDKAqGLR

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 13 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:792
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:796
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:384
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2536
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2556
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2636
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3144
                  • C:\Windows\system32\rundll32.exe
                    rundll32.exe C:\Users\Admin\AppData\Local\Temp\82708651f1bc3f6d6c594eb02f77774110aba1c0d85c19ac82f56af35b988175.dll,#1
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2768
                    • C:\Windows\SysWOW64\rundll32.exe
                      rundll32.exe C:\Users\Admin\AppData\Local\Temp\82708651f1bc3f6d6c594eb02f77774110aba1c0d85c19ac82f56af35b988175.dll,#1
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:4644
                      • C:\Users\Admin\AppData\Local\Temp\e57b834.exe
                        C:\Users\Admin\AppData\Local\Temp\e57b834.exe
                        4⤵
                        • Modifies firewall policy service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Enumerates connected drives
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:2032
                      • C:\Users\Admin\AppData\Local\Temp\e57b9da.exe
                        C:\Users\Admin\AppData\Local\Temp\e57b9da.exe
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:4388
                      • C:\Users\Admin\AppData\Local\Temp\e57e956.exe
                        C:\Users\Admin\AppData\Local\Temp\e57e956.exe
                        4⤵
                        • Modifies firewall policy service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Enumerates connected drives
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:2872
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3604
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3812
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:3912
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:3996
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:4080
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:3748
                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                              1⤵
                                PID:1568
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                1⤵
                                  PID:1684
                                • C:\Windows\system32\backgroundTaskHost.exe
                                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                  1⤵
                                    PID:1124

                                  Network

                                  • flag-us
                                    DNS
                                    149.220.183.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    149.220.183.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    172.210.232.199.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    172.210.232.199.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    73.159.190.20.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    73.159.190.20.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    95.221.229.192.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    95.221.229.192.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    104.219.191.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    104.219.191.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    53.210.109.20.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    53.210.109.20.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    15.164.165.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    15.164.165.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    43.229.111.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    43.229.111.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  No results found
                                  • 8.8.8.8:53
                                    149.220.183.52.in-addr.arpa
                                    dns
                                    73 B
                                     147 B
                                     1
                                    1

                                    DNS Request

                                    149.220.183.52.in-addr.arpa

                                  • 8.8.8.8:53
                                    172.210.232.199.in-addr.arpa
                                    dns
                                    74 B
                                     128 B
                                     1
                                    1

                                    DNS Request

                                    172.210.232.199.in-addr.arpa

                                  • 8.8.8.8:53
                                    73.159.190.20.in-addr.arpa
                                    dns
                                    72 B
                                     158 B
                                     1
                                    1

                                    DNS Request

                                    73.159.190.20.in-addr.arpa

                                  • 8.8.8.8:53
                                    95.221.229.192.in-addr.arpa
                                    dns
                                    73 B
                                     144 B
                                     1
                                    1

                                    DNS Request

                                    95.221.229.192.in-addr.arpa

                                  • 8.8.8.8:53
                                    104.219.191.52.in-addr.arpa
                                    dns
                                    73 B
                                     147 B
                                     1
                                    1

                                    DNS Request

                                    104.219.191.52.in-addr.arpa

                                  • 8.8.8.8:53
                                    53.210.109.20.in-addr.arpa
                                    dns
                                    72 B
                                     158 B
                                     1
                                    1

                                    DNS Request

                                    53.210.109.20.in-addr.arpa

                                  • 8.8.8.8:53
                                    15.164.165.52.in-addr.arpa
                                    dns
                                    72 B
                                     146 B
                                     1
                                    1

                                    DNS Request

                                    15.164.165.52.in-addr.arpa

                                  • 8.8.8.8:53
                                    43.229.111.52.in-addr.arpa
                                    dns
                                    72 B
                                     158 B
                                     1
                                    1

                                    DNS Request

                                    43.229.111.52.in-addr.arpa

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\e57b834.exe
                                    Filesize

                                    97KB

                                    MD5

                                    c961515ad078fd7bf66e7aa030289959

                                    SHA1

                                    70a37672dbd8b0cd7132a1769c0080bbfd8e1c2c

                                    SHA256

                                    b31bf0e3dd22240e2105c9a4f4cbb970f9ebc3e74484fcc5c8c159c5e48f05b3

                                    SHA512

                                    d38d4daa372bde76a4d8515acc9854e7bb1b663157122dc71d3f5744e95c2a4076d907a0f6037494ca005f1221727ddb1c63587b8d6b61335fad7cd700dc1c52

                                    Download Submit

                                  • C:\Windows\SYSTEM.INI
                                    Filesize

                                    256B

                                    MD5

                                    973437b0b21e04a411b9d29c4aeaebf8

                                    SHA1

                                    ebf31729c52048da32f1b892e566b0d6513da952

                                    SHA256

                                    cb590582caa8bed1a222615af63cf2c44ea6003e3d6ff65656547a81677fa784

                                    SHA512

                                    ad3261c6c599abcd536e1a9592ae53f6a36653d692d669158a00354c57a39b8f8e22a5250a7e7a630088decb3827d0b3aa5f02bcce4a9343abe53585fd115981

                                    Download Submit

                                  • memory/2032-39-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-5-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/2032-9-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-11-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-89-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/2032-27-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-31-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-70-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-19-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-18-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-30-0x00000000037A0000-0x00000000037A2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/2032-68-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-28-0x00000000037A0000-0x00000000037A2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/2032-23-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/2032-65-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-64-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-10-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-12-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-6-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-33-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-36-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-37-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-38-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-40-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-8-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-61-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-63-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-59-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-47-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-58-0x0000000000840000-0x00000000018FA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2032-53-0x00000000037A0000-0x00000000037A2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/2872-95-0x0000000000810000-0x00000000018CA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2872-54-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/2872-151-0x0000000000810000-0x00000000018CA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2872-150-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/2872-128-0x00000000005F0000-0x00000000005F2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/2872-127-0x0000000000810000-0x00000000018CA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/2872-114-0x00000000005F0000-0x00000000005F2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/2872-115-0x0000000000600000-0x0000000000601000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/4388-90-0x00000000001C0000-0x00000000001C2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4388-94-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/4388-34-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/4388-43-0x0000000000870000-0x0000000000871000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/4388-45-0x00000000001C0000-0x00000000001C2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4388-44-0x00000000001C0000-0x00000000001C2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4644-52-0x0000000001360000-0x0000000001362000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4644-24-0x0000000001360000-0x0000000001362000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4644-29-0x0000000001360000-0x0000000001362000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4644-21-0x0000000004330000-0x0000000004331000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/4644-20-0x0000000001360000-0x0000000001362000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4644-0-0x0000000010000000-0x0000000010020000-memory.dmp

                                    Filesize

                                    128KB

                                    Download

                                  We care about your privacy.

                                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.