Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

155738cb19...ba.dll

windows7-x64

10

155738cb19...ba.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 20:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    155738cb19add2654c6d3fff1190fb372145a1c4c8c9ab3ffd204a6cc13484ba.dll

  • Size

    120KB

  • MD5

    d42ccb63a29c50719ea1f60e898c8284

  • SHA1

    4e9971be1042ce23bde196456485339855a4203f

  • SHA256

    155738cb19add2654c6d3fff1190fb372145a1c4c8c9ab3ffd204a6cc13484ba

  • SHA512

    fdc50dc4dc13ab81d9f187402087e49cb79ac29dc3f3439e3d6734b9c91d3ccfc5e02f73e5cbaf1cf130a01c5ef5849d4ea7587408af45cf70675e701774695c

  • SSDEEP

    3072:5pUT8LXnzplC0/EY9dTkNJWf7HeO9pm6:jVLXLskTew

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 15 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 33 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:780
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:776
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:336
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2868
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2888
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2968
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3396
                  • C:\Windows\system32\rundll32.exe
                    rundll32.exe C:\Users\Admin\AppData\Local\Temp\155738cb19add2654c6d3fff1190fb372145a1c4c8c9ab3ffd204a6cc13484ba.dll,#1
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1684
                    • C:\Windows\SysWOW64\rundll32.exe
                      rundll32.exe C:\Users\Admin\AppData\Local\Temp\155738cb19add2654c6d3fff1190fb372145a1c4c8c9ab3ffd204a6cc13484ba.dll,#1
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:1476
                      • C:\Users\Admin\AppData\Local\Temp\e577e58.exe
                        C:\Users\Admin\AppData\Local\Temp\e577e58.exe
                        4⤵
                        • Modifies firewall policy service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Enumerates connected drives
                        • Drops file in Program Files directory
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:3900
                      • C:\Users\Admin\AppData\Local\Temp\e577fa0.exe
                        C:\Users\Admin\AppData\Local\Temp\e577fa0.exe
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:2696
                      • C:\Users\Admin\AppData\Local\Temp\e5799bf.exe
                        C:\Users\Admin\AppData\Local\Temp\e5799bf.exe
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:3948
                      • C:\Users\Admin\AppData\Local\Temp\e5799cf.exe
                        C:\Users\Admin\AppData\Local\Temp\e5799cf.exe
                        4⤵
                        • Modifies firewall policy service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Enumerates connected drives
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:412
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3524
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3720
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:3812
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:3876
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:3956
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:432
                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                              1⤵
                                PID:2556
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                1⤵
                                  PID:3288
                                • C:\Windows\system32\backgroundTaskHost.exe
                                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                  1⤵
                                    PID:4368

                                  Network

                                  • flag-us
                                    DNS
                                    97.17.167.52.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    97.17.167.52.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    101.210.23.2.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    101.210.23.2.in-addr.arpa
                                    IN PTR
                                    Response
                                    101.210.23.2.in-addr.arpa
                                    IN PTR
                                    a2-23-210-101deploystaticakamaitechnologiescom
                                  • flag-us
                                    DNS
                                    14.160.190.20.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    14.160.190.20.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    95.221.229.192.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    95.221.229.192.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    228.249.119.40.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    228.249.119.40.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    200.163.202.172.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    200.163.202.172.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    206.23.85.13.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    206.23.85.13.in-addr.arpa
                                    IN PTR
                                    Response
                                  • flag-us
                                    DNS
                                    220.190.18.2.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    220.190.18.2.in-addr.arpa
                                    IN PTR
                                    Response
                                    220.190.18.2.in-addr.arpa
                                    IN PTR
                                    a2-18-190-220deploystaticakamaitechnologiescom
                                  • flag-us
                                    DNS
                                    83.210.23.2.in-addr.arpa
                                    Remote address:
                                    8.8.8.8:53
                                    Request
                                    83.210.23.2.in-addr.arpa
                                    IN PTR
                                    Response
                                    83.210.23.2.in-addr.arpa
                                    IN PTR
                                    a2-23-210-83deploystaticakamaitechnologiescom
                                  No results found
                                  • 8.8.8.8:53
                                    97.17.167.52.in-addr.arpa
                                    dns
                                    71 B
                                     145 B
                                     1
                                    1

                                    DNS Request

                                    97.17.167.52.in-addr.arpa

                                  • 8.8.8.8:53
                                    101.210.23.2.in-addr.arpa
                                    dns
                                    71 B
                                     135 B
                                     1
                                    1

                                    DNS Request

                                    101.210.23.2.in-addr.arpa

                                  • 8.8.8.8:53
                                    14.160.190.20.in-addr.arpa
                                    dns
                                    72 B
                                     158 B
                                     1
                                    1

                                    DNS Request

                                    14.160.190.20.in-addr.arpa

                                  • 8.8.8.8:53
                                    95.221.229.192.in-addr.arpa
                                    dns
                                    73 B
                                     144 B
                                     1
                                    1

                                    DNS Request

                                    95.221.229.192.in-addr.arpa

                                  • 8.8.8.8:53
                                    228.249.119.40.in-addr.arpa
                                    dns
                                    73 B
                                     159 B
                                     1
                                    1

                                    DNS Request

                                    228.249.119.40.in-addr.arpa

                                  • 8.8.8.8:53
                                    200.163.202.172.in-addr.arpa
                                    dns
                                    74 B
                                     160 B
                                     1
                                    1

                                    DNS Request

                                    200.163.202.172.in-addr.arpa

                                  • 8.8.8.8:53
                                    206.23.85.13.in-addr.arpa
                                    dns
                                    71 B
                                     145 B
                                     1
                                    1

                                    DNS Request

                                    206.23.85.13.in-addr.arpa

                                  • 8.8.8.8:53
                                    220.190.18.2.in-addr.arpa
                                    dns
                                    71 B
                                     135 B
                                     1
                                    1

                                    DNS Request

                                    220.190.18.2.in-addr.arpa

                                  • 8.8.8.8:53
                                    83.210.23.2.in-addr.arpa
                                    dns
                                    70 B
                                     133 B
                                     1
                                    1

                                    DNS Request

                                    83.210.23.2.in-addr.arpa

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\e577e58.exe
                                    Filesize

                                    97KB

                                    MD5

                                    e5187e346b4474f19bd50084ca7085cc

                                    SHA1

                                    b03b97fe7770a0f5848298b24824ef963d9744b2

                                    SHA256

                                    75be5cfd57923a7049e38433015daca3f910e398440747fe95c384204d180832

                                    SHA512

                                    e0e7f5aa26b449d5456d69a8814bfa39305465b8428ea66d3e728ae60dc1343108ec04a465f34f56571644e67418132fef3441ad4901455f4a4c87a2657b292b

                                    Download Submit

                                  • C:\Windows\SYSTEM.INI
                                    Filesize

                                    257B

                                    MD5

                                    7940f5bb7db0082608606aea5f629897

                                    SHA1

                                    fbcb8cc2011644b1dca35bb9a40e73d0fb010a94

                                    SHA256

                                    af6a1b72c1e82e1919fd9f4c69d27c6421fdfa5e79762b75540207923b963738

                                    SHA512

                                    3bd4a962d8534e409f4f1add2f2ba4cc4ae803c4d21f466aeb4e2a049a9887782182892ec55cdc55df1215bfddb5ef2cb39237cef5bc255a3f0e0815bc4f08fa

                                    Download Submit

                                  • memory/412-166-0x0000000000B30000-0x0000000001BEA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/412-165-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/412-131-0x0000000000B30000-0x0000000001BEA000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/412-73-0x00000000001F0000-0x00000000001F2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/412-96-0x00000000001F0000-0x00000000001F2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/412-74-0x00000000001F0000-0x00000000001F2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/412-56-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/412-69-0x0000000000420000-0x0000000000421000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/1476-24-0x0000000001320000-0x0000000001322000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/1476-0-0x0000000010000000-0x0000000010020000-memory.dmp

                                    Filesize

                                    128KB

                                    Download

                                  • memory/1476-20-0x0000000001320000-0x0000000001322000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/1476-21-0x0000000002D70000-0x0000000002D71000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/1476-29-0x0000000001320000-0x0000000001322000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/2696-90-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/2696-71-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/2696-67-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/2696-64-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/2696-34-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/2696-119-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/3900-60-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-12-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-37-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-38-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-39-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-40-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-42-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-43-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-57-0x0000000001A30000-0x0000000001A32000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/3900-8-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-6-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-58-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-5-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/3900-61-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-9-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-13-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-11-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-28-0x0000000001A30000-0x0000000001A32000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/3900-10-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-75-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-30-0x0000000001A30000-0x0000000001A32000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/3900-36-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-23-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/3900-32-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-77-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-80-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-83-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-84-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-86-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-88-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-19-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-35-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-92-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-94-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-25-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-98-0x00000000007E0000-0x000000000189A000-memory.dmp

                                    Filesize

                                    16.7MB

                                    Download

                                  • memory/3900-104-0x0000000001A30000-0x0000000001A32000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/3900-115-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/3948-91-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/3948-66-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/3948-70-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/3948-147-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/3948-72-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/3948-55-0x0000000000400000-0x0000000000412000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  We care about your privacy.

                                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.