Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 22:20 UTC

General

  • Target

    2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe

  • Size

    885KB

  • MD5

    27ff90d09ce687ec73df98beb893f897

  • SHA1

    c27f85bbb51cf31ae672aa76ca43d3ad079d01c2

  • SHA256

    2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67

  • SHA512

    3e3f45da09864cbb33dd6b550d28aba3a9f255b697b7de94da6aa6b338bef1206a39df0feb50a22bc8175feef01199d0d45fe98751cffd95e97a95593ed71127

  • SSDEEP

    12288:EMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Evx9tIJa:EnsJ39LyjbJkQFMhmC+6GD9AZ

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    xredline1@gmail.com

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • Sality family
  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\wininit.exe
    wininit.exe
    1⤵
      PID:384
      • C:\Windows\system32\services.exe
        C:\Windows\system32\services.exe
        2⤵
          PID:476
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch
            3⤵
              PID:592
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                4⤵
                  PID:1336
                • C:\Windows\system32\wbem\wmiprvse.exe
                  C:\Windows\system32\wbem\wmiprvse.exe
                  4⤵
                    PID:316
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k RPCSS
                  3⤵
                    PID:672
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                    3⤵
                      PID:752
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                      3⤵
                        PID:812
                        • C:\Windows\system32\Dwm.exe
                          "C:\Windows\system32\Dwm.exe"
                          4⤵
                            PID:1168
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs
                          3⤵
                            PID:840
                            • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                              wmiadap.exe /F /T /R
                              4⤵
                                PID:2120
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService
                              3⤵
                                PID:960
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k NetworkService
                                3⤵
                                  PID:108
                                • C:\Windows\System32\spoolsv.exe
                                  C:\Windows\System32\spoolsv.exe
                                  3⤵
                                    PID:1020
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                    3⤵
                                      PID:1028
                                    • C:\Windows\system32\taskhost.exe
                                      "taskhost.exe"
                                      3⤵
                                        PID:1116
                                      • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                        3⤵
                                          PID:1532
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                          3⤵
                                            PID:3052
                                          • C:\Windows\system32\sppsvc.exe
                                            C:\Windows\system32\sppsvc.exe
                                            3⤵
                                              PID:1616
                                          • C:\Windows\system32\lsass.exe
                                            C:\Windows\system32\lsass.exe
                                            2⤵
                                              PID:492
                                            • C:\Windows\system32\lsm.exe
                                              C:\Windows\system32\lsm.exe
                                              2⤵
                                                PID:500
                                            • C:\Windows\system32\csrss.exe
                                              %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                              1⤵
                                                PID:392
                                              • C:\Windows\system32\winlogon.exe
                                                winlogon.exe
                                                1⤵
                                                  PID:432
                                                • C:\Windows\Explorer.EXE
                                                  C:\Windows\Explorer.EXE
                                                  1⤵
                                                    PID:1224
                                                    • C:\Users\Admin\AppData\Local\Temp\2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe"
                                                      2⤵
                                                      • Loads dropped DLL
                                                      • Adds Run key to start application
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:1932
                                                      • C:\Users\Admin\AppData\Local\Temp\._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe"
                                                        3⤵
                                                        • Modifies firewall policy service
                                                        • UAC bypass
                                                        • Windows security bypass
                                                        • Deletes itself
                                                        • Executes dropped EXE
                                                        • Windows security modification
                                                        • Checks whether UAC is enabled
                                                        • Enumerates connected drives
                                                        • Drops file in Windows directory
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious behavior: MapViewOfSection
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • Suspicious use of WriteProcessMemory
                                                        • System policy modification
                                                        PID:2480

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\ProgramData\Synaptics\Synaptics.exe

                                                    Filesize

                                                    885KB

                                                    MD5

                                                    27ff90d09ce687ec73df98beb893f897

                                                    SHA1

                                                    c27f85bbb51cf31ae672aa76ca43d3ad079d01c2

                                                    SHA256

                                                    2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67

                                                    SHA512

                                                    3e3f45da09864cbb33dd6b550d28aba3a9f255b697b7de94da6aa6b338bef1206a39df0feb50a22bc8175feef01199d0d45fe98751cffd95e97a95593ed71127

                                                  • C:\ProgramData\Synaptics\Synaptics.exe

                                                    Filesize

                                                    912KB

                                                    MD5

                                                    d083c47aaf61703d283facd2f89d3fef

                                                    SHA1

                                                    e7c7fe9a617d67b3ccad162e20b144f0a7fbf354

                                                    SHA256

                                                    c22cbb9ba2dd4a770cef411d9089a1a082a7fd9fb043b3a35b868892be5f5e7d

                                                    SHA512

                                                    124c9f007c535a236f7018857f5de862f689a251afc344eac0d705190a260235038c2d75cdfeec7c295db48c574ce15718397d2c6380685529d9d1171cfe2d45

                                                  • \Users\Admin\AppData\Local\Temp\._cache_2dcb89c9d130557481a291a7380f1f542a525fb5892836ab93844c698cd80a67.exe

                                                    Filesize

                                                    132KB

                                                    MD5

                                                    df1a5688c382996d68c40f2d861d7326

                                                    SHA1

                                                    3dcdf803e8621c8f89d98e48fb2cfe499918b21c

                                                    SHA256

                                                    eb036c4a775ddb2df834c0d3a46a103a964abebe4f74321ac19cd80a6270900a

                                                    SHA512

                                                    004ec9d54129139a19fe3d307692fdea721f931174e9ded20d7f57236c0c226fcbea706c10f1e0e527bfa2b67cf394db75b6386102a57dbd3b2a842226b8143f

                                                  • memory/1116-34-0x0000000000430000-0x0000000000432000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/1932-0-0x0000000000220000-0x0000000000221000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/1932-32-0x0000000000400000-0x00000000004E3000-memory.dmp

                                                    Filesize

                                                    908KB

                                                  • memory/2480-45-0x0000000000530000-0x0000000000531000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2480-20-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-25-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-51-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-23-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-49-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-48-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-33-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-47-0x0000000000530000-0x0000000000531000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/2480-44-0x00000000003F0000-0x00000000003F2000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/2480-24-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-26-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-22-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-50-0x00000000003F0000-0x00000000003F2000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/2480-53-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-54-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-55-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-57-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-56-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-59-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-66-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-61-0x00000000003F0000-0x00000000003F2000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/2480-60-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                                                    Filesize

                                                    16.6MB

                                                  • memory/2480-78-0x0000000000400000-0x0000000000428000-memory.dmp

                                                    Filesize

                                                    160KB

                                                  We care about your privacy.

                                                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.