Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2cd872f977...aN.exe

windows7-x64

10

2cd872f977...aN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 15:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2cd872f97767b7c125f2a3acd84aa6ad7c7be33a1c0a5b8df0b53b658b9d625aN.exe

  • Size

    467KB

  • MD5

    abd2bd452e92fffc8cb37dcc96bed350

  • SHA1

    79542641afb02cf5cc4f3675a5e77848198cab4c

  • SHA256

    2cd872f97767b7c125f2a3acd84aa6ad7c7be33a1c0a5b8df0b53b658b9d625a

  • SHA512

    10463e99ea5ff5ee9a49697b1c829bb2fe641f6ba2a7c48b21f18cb6ab7221713e9536f1a98430c73a96e8fb7b1275177a3e2df733a3b85366f2176367d820b2

  • SSDEEP

    6144:4+rxvPoiHw7sQ65lZvygWnMF6kOr6ZOhm1wdZkRmxVEjPLox2xqBBgGLbSU:Prx3IsQelZvAnbRr6ZGm1wdZkIxYWj/F

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:776
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:780
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:316
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2612
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2636
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:3008
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3632
                  • C:\Users\Admin\AppData\Local\Temp\2cd872f97767b7c125f2a3acd84aa6ad7c7be33a1c0a5b8df0b53b658b9d625aN.exe
                    "C:\Users\Admin\AppData\Local\Temp\2cd872f97767b7c125f2a3acd84aa6ad7c7be33a1c0a5b8df0b53b658b9d625aN.exe"
                    2⤵
                    • Modifies firewall policy service
                    • UAC bypass
                    • Windows security bypass
                    • Loads dropped DLL
                    • Windows security modification
                    • Checks whether UAC is enabled
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:2308
                    • C:\Windows\System32\Conhost.exe
                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      3⤵
                        PID:4580
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                    1⤵
                      PID:3756
                    • C:\Windows\system32\DllHost.exe
                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                      1⤵
                        PID:3928
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                          PID:4028
                        • C:\Windows\System32\RuntimeBroker.exe
                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                          1⤵
                            PID:4092
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                              PID:3068
                            • C:\Windows\System32\RuntimeBroker.exe
                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                              1⤵
                                PID:4180
                              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                                1⤵
                                  PID:3408
                                • C:\Windows\System32\RuntimeBroker.exe
                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                  1⤵
                                    PID:3256
                                  • C:\Windows\system32\backgroundTaskHost.exe
                                    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                    1⤵
                                      PID:2968

                                    Network

                                    • flag-us
                                      DNS
                                      232.168.11.51.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      232.168.11.51.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      83.210.23.2.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      83.210.23.2.in-addr.arpa
                                      IN PTR
                                      Response
                                      83.210.23.2.in-addr.arpa
                                      IN PTR
                                      a2-23-210-83deploystaticakamaitechnologiescom
                                    • flag-us
                                      DNS
                                      71.159.190.20.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      71.159.190.20.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      95.221.229.192.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      95.221.229.192.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      209.205.72.20.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      209.205.72.20.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      212.20.149.52.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      212.20.149.52.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      206.23.85.13.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      206.23.85.13.in-addr.arpa
                                      IN PTR
                                      Response
                                    • flag-us
                                      DNS
                                      29.243.111.52.in-addr.arpa
                                      Remote address:
                                      8.8.8.8:53
                                      Request
                                      29.243.111.52.in-addr.arpa
                                      IN PTR
                                      Response
                                    No results found
                                    • 8.8.8.8:53
                                      232.168.11.51.in-addr.arpa
                                      dns
                                      72 B
                                       158 B
                                       1
                                      1

                                      DNS Request

                                      232.168.11.51.in-addr.arpa

                                    • 8.8.8.8:53
                                      83.210.23.2.in-addr.arpa
                                      dns
                                      70 B
                                       133 B
                                       1
                                      1

                                      DNS Request

                                      83.210.23.2.in-addr.arpa

                                    • 8.8.8.8:53
                                      71.159.190.20.in-addr.arpa
                                      dns
                                      72 B
                                       158 B
                                       1
                                      1

                                      DNS Request

                                      71.159.190.20.in-addr.arpa

                                    • 8.8.8.8:53
                                      95.221.229.192.in-addr.arpa
                                      dns
                                      73 B
                                       144 B
                                       1
                                      1

                                      DNS Request

                                      95.221.229.192.in-addr.arpa

                                    • 8.8.8.8:53
                                      209.205.72.20.in-addr.arpa
                                      dns
                                      72 B
                                       158 B
                                       1
                                      1

                                      DNS Request

                                      209.205.72.20.in-addr.arpa

                                    • 8.8.8.8:53
                                      212.20.149.52.in-addr.arpa
                                      dns
                                      72 B
                                       146 B
                                       1
                                      1

                                      DNS Request

                                      212.20.149.52.in-addr.arpa

                                    • 8.8.8.8:53
                                      206.23.85.13.in-addr.arpa
                                      dns
                                      71 B
                                       145 B
                                       1
                                      1

                                      DNS Request

                                      206.23.85.13.in-addr.arpa

                                    • 8.8.8.8:53
                                      29.243.111.52.in-addr.arpa
                                      dns
                                      72 B
                                       158 B
                                       1
                                      1

                                      DNS Request

                                      29.243.111.52.in-addr.arpa

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Temp\euiCB2F.tmp
                                      Filesize

                                      172KB

                                      MD5

                                      685f1cbd4af30a1d0c25f252d399a666

                                      SHA1

                                      6a1b978f5e6150b88c8634146f1406ed97d2f134

                                      SHA256

                                      0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

                                      SHA512

                                      6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

                                      Download Submit

                                    • memory/2308-18-0x0000000002850000-0x000000000390A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/2308-17-0x0000000002850000-0x000000000390A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/2308-5-0x0000000000900000-0x0000000000973000-memory.dmp

                                      Filesize

                                      460KB

                                      Download

                                    • memory/2308-9-0x0000000002850000-0x000000000390A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/2308-11-0x0000000002850000-0x000000000390A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/2308-15-0x0000000002850000-0x000000000390A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/2308-13-0x0000000002850000-0x000000000390A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/2308-12-0x0000000002850000-0x000000000390A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/2308-14-0x0000000002850000-0x000000000390A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/2308-0-0x0000000000400000-0x0000000000450000-memory.dmp

                                      Filesize

                                      320KB

                                      Download

                                    • memory/2308-6-0x0000000000900000-0x0000000000973000-memory.dmp

                                      Filesize

                                      460KB

                                      Download

                                    • memory/2308-28-0x0000000000A30000-0x0000000000A32000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/2308-19-0x0000000002850000-0x000000000390A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/2308-23-0x0000000000A30000-0x0000000000A32000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/2308-16-0x0000000002850000-0x000000000390A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/2308-21-0x0000000000A40000-0x0000000000A41000-memory.dmp

                                      Filesize

                                      4KB

                                      Download

                                    • memory/2308-20-0x0000000000A30000-0x0000000000A32000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/2308-30-0x0000000000A30000-0x0000000000A32000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/2308-35-0x0000000002850000-0x000000000390A000-memory.dmp

                                      Filesize

                                      16.7MB

                                      Download

                                    • memory/2308-42-0x0000000000400000-0x0000000000450000-memory.dmp

                                      Filesize

                                      320KB

                                      Download

                                    • memory/2308-41-0x0000000000900000-0x0000000000973000-memory.dmp

                                      Filesize

                                      460KB

                                      Download

                                    We care about your privacy.

                                    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.