Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    a453c72f70300b3ffbafefe87396342061b8b847e68eba4891b51ab1b7edfb08

  • Size

    646KB

  • Sample

    220701-dsvwgshgfk

  • MD5

    8fba405998aa281996ace0b5bf72f100

  • SHA1

    d2493023ab0cb67151bcd7db9fff2f06e46840d3

  • SHA256

    a453c72f70300b3ffbafefe87396342061b8b847e68eba4891b51ab1b7edfb08

  • SHA512

    67038ef7123827f4a1510475abd5a5b726ef33ca7f84f5418af09c0c3594ee2404e62f301be8bfbb728d2e5500e78dabfb1f8fa52f10ae24b02dff11785a493b

Malware Config

Targets

    • Target

      a453c72f70300b3ffbafefe87396342061b8b847e68eba4891b51ab1b7edfb08

    • Size

      646KB

    • MD5

      8fba405998aa281996ace0b5bf72f100

    • SHA1

      d2493023ab0cb67151bcd7db9fff2f06e46840d3

    • SHA256

      a453c72f70300b3ffbafefe87396342061b8b847e68eba4891b51ab1b7edfb08

    • SHA512

      67038ef7123827f4a1510475abd5a5b726ef33ca7f84f5418af09c0c3594ee2404e62f301be8bfbb728d2e5500e78dabfb1f8fa52f10ae24b02dff11785a493b

    • Modifies Windows Defender Real-time Protection settings

    • Phoenix Keylogger

      Phoenix is a keylogger and info stealer first seen in July 2019.

    • Phoenix Keylogger Payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Windows security modification

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks