Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
21s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02/02/2025, 23:48
General
-
Target
639c5053b060176ae34d35d3d81a0d51d93d5ec06dce6c6a743e0e39ebe5303c.exe
-
Size
1.9MB
-
MD5
3bb33439e5fd17b32587abac4461c2a9
-
SHA1
3eae5af86b5bb471d59e9e587bb527710a255f7e
-
SHA256
639c5053b060176ae34d35d3d81a0d51d93d5ec06dce6c6a743e0e39ebe5303c
-
SHA512
ef3e27dbb480b9e5c1388eac01c72479397542a0431b3c27060b575f83d3eda19ff557b8520a1749e6ad82504d40234b0d45b0977dc118227119aabafb9c66b4
-
SSDEEP
24576:JzYcWpbiQMobokEyEsEesVAqLJiZvqyrC9FNNaxXGrlwIB87qhZUFd4XH4eRCyDm:J58uIokSsvT26BECKfSo3oBAXRTcZIe
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\639c5053b060176ae34d35d3d81a0d51d93d5ec06dce6c6a743e0e39ebe5303c.exe"C:\Users\Admin\AppData\Local\Temp\639c5053b060176ae34d35d3d81a0d51d93d5ec06dce6c6a743e0e39ebe5303c.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD56e1b0d60c0fec9a30712232ac80f588f
SHA1a8d4e798a69554fb799131d921b8d66bb7a157d4
SHA256990b09016ea75138a1ab9c52f346ae60f97bed659aafded41c4e7c866f7a482c
SHA512e8c38e2b0e3a2617e3204e9287f82d1910ad553044156db738d33f69d5d559a9a986a6c1cdee90e10909816f3962b3c475b5340c7d8350b43ebcdcfa1d9ca54b
-
Filesize
721B
MD5512fbfea0e6d192dc846d9b49d3716cc
SHA15c29844ae6da67904e21460fe027a78aa5a411e3
SHA25624395fa7e2c02ae3d32b2f3575a1433aed05a87674b586f34ada84b538f234fb
SHA51210c6737897110dd48e42c94e2c7ce6ad6988ba8d5e9830917f5375068765886bf85014ef3b7b36c7ae0a48b78e42601d69756ade1de1e1852b08c3a41263d580
-
Filesize
257B
MD5701f134f6c76842cfac10aea6e27ac90
SHA18404728d9a559c25a07a2979438b466d7c6aa69e
SHA256bd447f60bae27880fcdc9f4ce504a6af392cabf662194bafb394d665b6cf8f65
SHA512edb37e818f560b3cdc36d60366309aa9bd2738091ce918fefc95c4fc61840704cf5b3c63fb23260acc11dae25a9f3094a0ae1ed84c3be3876487ee126e817a92
-
Filesize
100KB
MD5e1f5f6e4b270a6a81cad6a95fd2518cc
SHA1318ee320a4f638aebac5cf2dfe1b2574a1101818
SHA2562076d11ccfae3a6fff776887d1f3409d03320bdaca0c7473875f6cb1ee1978f3
SHA512fbde7161f1fb739c78535a88e412c49728b77f6ac0fca86c45cb454e55eb3de67cb6457969d284b0557285945a1f560ca7baac80c6f12638185c4a75a971a965
-
Filesize
11KB
MD5959ea64598b9a3e494c00e8fa793be7e
SHA140f284a3b92c2f04b1038def79579d4b3d066ee0
SHA25603cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
SHA5125e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64
-
Filesize
812KB
MD51a9ae6a7e975fa3c77304cd8abbfb10c
SHA11f56bb9fff55822e271aad3880f43b87a5c8dee4
SHA256254e830f1fd1fa00a93cd7fa089df419f3580cfc171e0399820f4a2ec7671807
SHA512b78672fd63e26bdb2b16d6e99b506a180b980ff354890180f49a0ad4e2ddf7f58c696a7e268f5a58ae6f5d8f592a233cb68c0e59184f82b848acd7d663f404e1
-
Filesize
1.9MB
MD53bb33439e5fd17b32587abac4461c2a9
SHA13eae5af86b5bb471d59e9e587bb527710a255f7e
SHA256639c5053b060176ae34d35d3d81a0d51d93d5ec06dce6c6a743e0e39ebe5303c
SHA512ef3e27dbb480b9e5c1388eac01c72479397542a0431b3c27060b575f83d3eda19ff557b8520a1749e6ad82504d40234b0d45b0977dc118227119aabafb9c66b4
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
2.1MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
2.1MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
2.1MB
-
Filesize
2.1MB
