Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

ed2a347c16...2d.exe

windows7-x64

10

ed2a347c16...2d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ed2a347c165ca9e2fc1fdd50a4554e575c17407dc9c865778390e7e076bb152d

  • Size

    796KB

  • Sample

    221204-ad1lmshd86

  • MD5

    11bd03379101ef560bb21ba8c76b5853

  • SHA1

    d5ecd45ea5e3dfdc5e53b40281a4e2f01b5df549

  • SHA256

    ed2a347c165ca9e2fc1fdd50a4554e575c17407dc9c865778390e7e076bb152d

  • SHA512

    8e11e68a54bbdc69cfc1d61d79cee1bd3f0586251764e4805536933a1bfd1049f56f71273ae78dd51d0a867cb494cd7db8f0605c0ec01e8ef9570f637b1cb682

  • SSDEEP

    6144:V8XXRUw9Oz5+iUPO4RJtvRx7HfnSzObtkLo5vOFTaLTGu0yvHcr+JB8aUEj:enRy+vvtHfRVxOFuPyAHcqrU

Score
10/10
evasionpersistencetrojan

Malware Config

Targets

    • Target

      ed2a347c165ca9e2fc1fdd50a4554e575c17407dc9c865778390e7e076bb152d

    • Size

      796KB

    • MD5

      11bd03379101ef560bb21ba8c76b5853

    • SHA1

      d5ecd45ea5e3dfdc5e53b40281a4e2f01b5df549

    • SHA256

      ed2a347c165ca9e2fc1fdd50a4554e575c17407dc9c865778390e7e076bb152d

    • SHA512

      8e11e68a54bbdc69cfc1d61d79cee1bd3f0586251764e4805536933a1bfd1049f56f71273ae78dd51d0a867cb494cd7db8f0605c0ec01e8ef9570f637b1cb682

    • SSDEEP

      6144:V8XXRUw9Oz5+iUPO4RJtvRx7HfnSzObtkLo5vOFTaLTGu0yvHcr+JB8aUEj:enRy+vvtHfRVxOFuPyAHcqrU

    Score
    10/10
    evasionpersistencetrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Disables RegEdit via registry modification

      evasion

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks