Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
20s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
-
submitted
02/02/2025, 23:48
General
-
Target
639c5053b060176ae34d35d3d81a0d51d93d5ec06dce6c6a743e0e39ebe5303c.exe
-
Size
1.9MB
-
MD5
3bb33439e5fd17b32587abac4461c2a9
-
SHA1
3eae5af86b5bb471d59e9e587bb527710a255f7e
-
SHA256
639c5053b060176ae34d35d3d81a0d51d93d5ec06dce6c6a743e0e39ebe5303c
-
SHA512
ef3e27dbb480b9e5c1388eac01c72479397542a0431b3c27060b575f83d3eda19ff557b8520a1749e6ad82504d40234b0d45b0977dc118227119aabafb9c66b4
-
SSDEEP
24576:JzYcWpbiQMobokEyEsEesVAqLJiZvqyrC9FNNaxXGrlwIB87qhZUFd4XH4eRCyDm:J58uIokSsvT26BECKfSo3oBAXRTcZIe
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 38 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\639c5053b060176ae34d35d3d81a0d51d93d5ec06dce6c6a743e0e39ebe5303c.exe"C:\Users\Admin\AppData\Local\Temp\639c5053b060176ae34d35d3d81a0d51d93d5ec06dce6c6a743e0e39ebe5303c.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD56e1b0d60c0fec9a30712232ac80f588f
SHA1a8d4e798a69554fb799131d921b8d66bb7a157d4
SHA256990b09016ea75138a1ab9c52f346ae60f97bed659aafded41c4e7c866f7a482c
SHA512e8c38e2b0e3a2617e3204e9287f82d1910ad553044156db738d33f69d5d559a9a986a6c1cdee90e10909816f3962b3c475b5340c7d8350b43ebcdcfa1d9ca54b
-
Filesize
11KB
MD5959ea64598b9a3e494c00e8fa793be7e
SHA140f284a3b92c2f04b1038def79579d4b3d066ee0
SHA25603cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
SHA5125e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64
-
Filesize
812KB
MD51a9ae6a7e975fa3c77304cd8abbfb10c
SHA11f56bb9fff55822e271aad3880f43b87a5c8dee4
SHA256254e830f1fd1fa00a93cd7fa089df419f3580cfc171e0399820f4a2ec7671807
SHA512b78672fd63e26bdb2b16d6e99b506a180b980ff354890180f49a0ad4e2ddf7f58c696a7e268f5a58ae6f5d8f592a233cb68c0e59184f82b848acd7d663f404e1
-
Filesize
721B
MD5512fbfea0e6d192dc846d9b49d3716cc
SHA15c29844ae6da67904e21460fe027a78aa5a411e3
SHA25624395fa7e2c02ae3d32b2f3575a1433aed05a87674b586f34ada84b538f234fb
SHA51210c6737897110dd48e42c94e2c7ce6ad6988ba8d5e9830917f5375068765886bf85014ef3b7b36c7ae0a48b78e42601d69756ade1de1e1852b08c3a41263d580
-
Filesize
1.9MB
MD53bb33439e5fd17b32587abac4461c2a9
SHA13eae5af86b5bb471d59e9e587bb527710a255f7e
SHA256639c5053b060176ae34d35d3d81a0d51d93d5ec06dce6c6a743e0e39ebe5303c
SHA512ef3e27dbb480b9e5c1388eac01c72479397542a0431b3c27060b575f83d3eda19ff557b8520a1749e6ad82504d40234b0d45b0977dc118227119aabafb9c66b4
-
Filesize
257B
MD503667225e6607f7c7d59dc2f5474c69a
SHA16079ed3a4c0209ff5ed085d9b6f0cc5d354be945
SHA2565f13fa4ea87c7eaf5630334a79c66c5b636801e9cfe1a7746d5e0e8e54ed1219
SHA5125a1ce1a0ef094db4f52c4ac277a073d1b65736d85fde36cbd5213d4d7e2d3963b93700a74d8bcd8bf680367331521e28a0fde0384aef8502424580cc3d8ad0f5
-
Filesize
100KB
MD597595e3bad1f9e40eb80ea0036f1a7be
SHA113709b229ba486271214914ff9aeabff01198504
SHA256047c6f29354578bf8ad71dc377d539f0f0fc9922d53a07fa2a42cd209b3b6fb4
SHA512431950aee678046489c509814fda77109b6ed4c8ef39a88254290ec0be2519badef0c4466e63ada1e47277069efe575c319bd52ce3cdaadb2658db90d14d5c5f
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
2.1MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
2.1MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
2.1MB
-
Filesize
2.1MB
