Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
fd221d8c89c5aebbe02e3794def9cb4e8d5cb6076053b9bb5f56f5e09ee07447
-
Size
4.9MB
-
Sample
221206-2gdd3adc2s
-
MD5
e678ed6062a8be299d4db0a6f9813319
-
SHA1
ecac051f6bfb0a071b08f7da6d8f256cca68d778
-
SHA256
fd221d8c89c5aebbe02e3794def9cb4e8d5cb6076053b9bb5f56f5e09ee07447
-
SHA512
839b8e92d2b61b00a2c9fcb12ac4b066f9f46ec8dadcab763b409513f6c6a5539680a505ef5e2027f5c97238cfa686fa7c5b99ab21a5aa2d53af4a513eec9ff0
-
SSDEEP
98304:OSr8VIN4BsICmhGObDshxWdIxiWx890YyXbZFPK+Tear7MJ3FBPEt:OSrNemYnDWxWYiW690YibHdea3A3vPEt
Static task
static1
Behavioral task
behavioral1
Sample
fd221d8c89c5aebbe02e3794def9cb4e8d5cb6076053b9bb5f56f5e09ee07447.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
fd221d8c89c5aebbe02e3794def9cb4e8d5cb6076053b9bb5f56f5e09ee07447.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
Protocol: ftp- Host:
petrivanich.aiq.ru - Port:
21 - Username:
u364825 - Password:
lu7l4mqm
Targets
-
-
Target
fd221d8c89c5aebbe02e3794def9cb4e8d5cb6076053b9bb5f56f5e09ee07447
-
Size
4.9MB
-
MD5
e678ed6062a8be299d4db0a6f9813319
-
SHA1
ecac051f6bfb0a071b08f7da6d8f256cca68d778
-
SHA256
fd221d8c89c5aebbe02e3794def9cb4e8d5cb6076053b9bb5f56f5e09ee07447
-
SHA512
839b8e92d2b61b00a2c9fcb12ac4b066f9f46ec8dadcab763b409513f6c6a5539680a505ef5e2027f5c97238cfa686fa7c5b99ab21a5aa2d53af4a513eec9ff0
-
SSDEEP
98304:OSr8VIN4BsICmhGObDshxWdIxiWx890YyXbZFPK+Tear7MJ3FBPEt:OSrNemYnDWxWYiW690YibHdea3A3vPEt
Score10/10-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-