Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe

  • Size

    555KB

  • Sample

    220924-lm7l4aahh5

  • MD5

    2102422fdf58e1f1ea628e864576f437

  • SHA1

    a071690fa220c12e9b5fa85e70dc3e7c42b30893

  • SHA256

    fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997

  • SHA512

    9894a54a6c85ce3e087ef6f2a6da1a5744d71667eaa8f17d23985e15c39a425cfe53f838875573e828170ce6d3756618c4b293e3d81dfc7a7a5570daf2c0c2b6

  • SSDEEP

    12288:gfp3lxis8EdrQso5hnyRIAPQJno5hnyRIAQg:gfp36sN5snUPjnUQg

Malware Config

Targets

    • Target

      HEUR-Trojan.MSIL.Agent.gen-fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997.exe

    • Size

      555KB

    • MD5

      2102422fdf58e1f1ea628e864576f437

    • SHA1

      a071690fa220c12e9b5fa85e70dc3e7c42b30893

    • SHA256

      fffc3cd304a280746276a3fa580a08f3de6aa2db4196c28ebd1c905607de0997

    • SHA512

      9894a54a6c85ce3e087ef6f2a6da1a5744d71667eaa8f17d23985e15c39a425cfe53f838875573e828170ce6d3756618c4b293e3d81dfc7a7a5570daf2c0c2b6

    • SSDEEP

      12288:gfp3lxis8EdrQso5hnyRIAPQJno5hnyRIAQg:gfp36sN5snUPjnUQg

    • Modifies Windows Defender Real-time Protection settings

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Windows security modification

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks