Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

d188d00ecb...3e.exe

windows7-x64

10

d188d00ecb...3e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/01/2025, 12:43 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe

  • Size

    708KB

  • MD5

    6bcde3e955429f9ef45523a341d85126

  • SHA1

    9a6c19105967f70333e95c11ac76a53babf9aff6

  • SHA256

    d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e

  • SHA512

    ba1de53291fca48e7d2306d2d5807abc9aab185e13d5418af13fab3345ca41a2c06c016be40ff7acb9fbfa1812136e17b5207940aa033bb624d747671f63efb5

  • SSDEEP

    12288:7qU89vzAaKUaQqbWQrPBFSHvkJO1tmPY+QL2TFDhvfo:svzrpEWQ7zmvFYQL2FNQ

Score
10/10
neshtasalitybackdoordiscoveryevasionpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

http://klkjwre77638dfqwieuoi888.info/

Signatures

  • Detect Neshta payload 6 IoCs
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • UPX packed file 32 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1128
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1184
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1260
          • C:\Users\Admin\AppData\Local\Temp\d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe
            "C:\Users\Admin\AppData\Local\Temp\d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Disables RegEdit via registry modification
            • Loads dropped DLL
            • Modifies system executable filetype association
            • Windows security modification
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1876
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1544

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Persistence

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Event Triggered Execution

          1
          T1546

          Change Default File Association

          1
          T1546.001

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Event Triggered Execution

          1
          T1546

          Change Default File Association

          1
          T1546.001

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          4
          T1562

          Disable or Modify System Firewall

          1
          T1562.004

          Disable or Modify Tools

          3
          T1562.001

          Modify Registry

          6
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\0F76FA27_Rar\d188d00ecb8c52128de8dd7fd2754402b9a22e3d4047910b078527620eef2c3e.exe
            Filesize

            636KB

            MD5

            84a781ca5f8a74e1bc0435a86f621e30

            SHA1

            c09984c8f65019a657225c71b033da2806860e8e

            SHA256

            14fae45010f78d936311204bc7bbc27f44ee7b27aca345b1c765fcbad80c8f50

            SHA512

            1c7f08ca26871cb9f10b8cb4900d28014d6a262baa04b1891996c4e0abe30bbd6ede70de4e12f7f084fd8b9509dfa3dfaae4d4a01bd6d33274b2f7193ef2eecc

            Download Submit

          • \MSOCache\ALLUSE~1\{9A861~1\ose.exe
            Filesize

            213KB

            MD5

            f91b4a1064ff3c8f3c3c8c6ec30971f5

            SHA1

            cc4b6887d58d643a1130bdc73bb00e890ad0c47a

            SHA256

            ba044f9246873626d7525eab6f65c433bbe0efaae109d528f4970d069493a6fe

            SHA512

            7771eff34f1767f77e62ae7527fb2de37083fd8abfdae3096d92c0adf5d2be67cafe39f48d1949417cccaa5e6e16a02448cf746dc4071359bcc6c0cebfabc136

            Download Submit

          • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
            Filesize

            252KB

            MD5

            9e2b9928c89a9d0da1d3e8f4bd96afa7

            SHA1

            ec66cda99f44b62470c6930e5afda061579cde35

            SHA256

            8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

            SHA512

            2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

            Download Submit

          • memory/1128-22-0x00000000001E0000-0x00000000001E2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1876-41-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-50-0x0000000000400000-0x000000000042D000-memory.dmp

            Filesize

            180KB

            Download

          • memory/1876-11-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-17-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-12-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-18-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-15-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-21-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-20-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-16-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-36-0x00000000038F0000-0x00000000038F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1876-35-0x00000000038F0000-0x00000000038F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1876-34-0x0000000003900000-0x0000000003901000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1876-32-0x0000000003900000-0x0000000003901000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1876-31-0x00000000038F0000-0x00000000038F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1876-37-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-39-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-47-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-0-0x0000000000400000-0x000000000042D000-memory.dmp

            Filesize

            180KB

            Download

          • memory/1876-44-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-13-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-45-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-40-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-48-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-14-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-60-0x000000002D170000-0x000000002D1A8000-memory.dmp

            Filesize

            224KB

            Download

          • memory/1876-59-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-62-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-68-0x00000000038F0000-0x00000000038F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1876-69-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-70-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-72-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-79-0x0000000000400000-0x000000000042D000-memory.dmp

            Filesize

            180KB

            Download

          • memory/1876-9-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-141-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-156-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-157-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-160-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-161-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-164-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-165-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-210-0x0000000000400000-0x000000000042D000-memory.dmp

            Filesize

            180KB

            Download

          • memory/1876-211-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

            Filesize

            16.6MB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.