Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

ChrisTitus...rch.sh

ubuntu-18.04-amd64

8

ChrisTitus...rch.sh

debian-9-armhf

8

ChrisTitus...rch.sh

debian-9-mips

8

ChrisTitus...rch.sh

debian-9-mipsel

8

ChrisTitus...deb.sh

ubuntu-18.04-amd64

7

ChrisTitus...deb.sh

debian-9-armhf

5

ChrisTitus...deb.sh

debian-9-mips

5

ChrisTitus...deb.sh

debian-9-mipsel

5

ChrisTitus...it.ps1

windows7-x64

1

ChrisTitus...it.ps1

windows10-2004-x64

1

ChrisTitus...on.ps1

windows7-x64

1

ChrisTitus...on.ps1

windows10-2004-x64

1

ChrisTitus...ds.ps1

windows7-x64

8

ChrisTitus...ds.ps1

windows10-2004-x64

8

ChrisTitus...os.ps1

windows7-x64

8

ChrisTitus...os.ps1

windows10-2004-x64

8

ChrisTitus...py.ps1

windows7-x64

1

ChrisTitus...py.ps1

windows10-2004-x64

1

ChrisTitus...or.cmd

windows7-x64

1

ChrisTitus...or.cmd

windows10-2004-x64

1

ChrisTitus...at.ps1

windows7-x64

10

ChrisTitus...at.ps1

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ChrisTitusTech_debloatWin10_elQueAnda.rar

  • Size

    83KB

  • Sample

    221228-rw7lcaaf22

  • MD5

    02edf6674f87c78de097b9bbec4fb74e

  • SHA1

    ae086d17f9906260474f5919b5a0d7729c90f7da

  • SHA256

    33c21bf2e0c7f058fc2d76c9fa41e7fa203b1793b45ea61fec551186998f709a

  • SHA512

    a83f4c3a21dee408cfae4c1964db29bc464995a1304328c1156ff3c2bdf77bf40357961dec516a52e1907316e7e3732d8fad829bfbff89f8ea86bce23bb8ddaf

  • SSDEEP

    1536:ZKA5zeRLNS8s1Z426C/yqa9AO1HaskNc0BHofR4Xva85RovZ3zn66wVLQ8V0oi:ZKAluLQ8s1Z4rC/jazuNtBHoRYyCRovF

Score
10/10
discoveryevasionlinuxransomware

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://raw.githubusercontent.com/ChrisTitusTech/win10script/master/ooshutup10.cfg
exe.dropper

https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe

Targets

    • Target

      ChrisTitusTech_debloatWin10_elQueAnda/cttscript/HyperV Tools/arch.sh

    • Size

      3KB

    • MD5

      61f97d46bef37eafc2f53a6c7a342605

    • SHA1

      a0566c2a1b9bc4d45cb940f48681fdab1f794d77

    • SHA256

      7aacd932ed5093cd0a43bdb20908ad3415725fbb6c46ffce6e4c35f10766198e

    • SHA512

      2684529e311f2b67f060fbb65ba9bf7c9515bdf50ebef3ebd25114040a687f889b770ed3e7d9686560802aedac59b57a3aacb4ddf6c48c8069bef7c775dcd338

    Score
    8/10

    • Modifies hosts file

      Adds to hosts file used for mapping hosts to IP addresses.

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Enumerates kernel/hardware configuration

      Reads contents of /sys virtual filesystem to enumerate system information.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral1behavioral2behavioral3behavioral4

    • Target

      ChrisTitusTech_debloatWin10_elQueAnda/cttscript/HyperV Tools/deb.sh

    • Size

      35KB

    • MD5

      5e42a9d6ef515bc7d42c3875613c3a5a

    • SHA1

      e9a97f3130a136626731bcce2854a284911b1542

    • SHA256

      fa3522c916ac271a9eec4db52528c5fdbf10e32d635160fe61b8cbdc880bc695

    • SHA512

      cbe882034a122c7cf7a6f962b9cbf963cb915613624dbf71128ac87fcb63986f110f5a2545e32331bcab8b2049015b9f69534d4c14bab9eb92e714edda2c5872

    • SSDEEP

      192:RtVC966RFNxExiROI57EGe3imWH5zI2noiB3BsJYT5YafAFlm6ubYxh+Z724zRUs:s66XbrnWe6ubYrTw8Wjao+vrjAx

    Score
    7/10

    • Write file to user bin folder

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral5behavioral6behavioral7behavioral8

    • Target

      ChrisTitusTech_debloatWin10_elQueAnda/cttscript/HyperV Tools/vm-gpusplit.ps1

    • Size

      1006B

    • MD5

      a60cc7ec87f3d361e24ee50c3157ec77

    • SHA1

      388f90571d44264ca8ea001d8be1234116e75c1f

    • SHA256

      ebbdc439cea1ef2f5f8a77fdca7353ecb328180f3d83e162da4b4e5fcbaa9eb0

    • SHA512

      d05f9706441ad588b4091bc43bec5c99a794ea48271f30e4a9486877b67f396a57563e56fa5609da2e4e03abfeebf0c06c7bf542f81d1cce0dcc61a8008036ce

    Score
    1/10
    behavioral10behavioral9

    • Target

      ChrisTitusTech_debloatWin10_elQueAnda/cttscript/HyperV Tools/vm-setresolution.ps1

    • Size

      109B

    • MD5

      48da8e2b47c2671912094103a3379b9a

    • SHA1

      b1d19a1495160b2414d4e147220eea9304fd0a58

    • SHA256

      d4c5631781e167b80fc6707e655bfa5f8f1bc6088788a68f6e928b533904ab86

    • SHA512

      48d4e90143fdd6b2bc349b9f956f4f0159f90978efbad225602732d37164b24cb726a8bebc3e71264a020dc0d1b7a690758be3e1d3b1498aedad1ec246198947

    Score
    1/10
    behavioral11behavioral12

    • Target

      ChrisTitusTech_debloatWin10_elQueAnda/cttscript/Individual Scripts/block-ads.ps1

    • Size

      196B

    • MD5

      81a327dc5cf2f6365efaa95436cda8a9

    • SHA1

      8e30fd2c89255b6eb2b0aa89047e20db356549d6

    • SHA256

      7ccf566f7c2b76aa820656bbec4fb82526b45ac6be0607cee3c4addecf6a5dfb

    • SHA512

      9089d08032fbb37a827fc89bda6f5d2251c54ec1fc137c2abe3c999e0c9094e94d3403770a4f857928f2d97912202eb8d7a1d1205861fa7165eee64c72f5f0a4

    Score
    8/10

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    • Legitimate hosting services abused for malware hosting/C2

    behavioral13behavioral14

    • Target

      ChrisTitusTech_debloatWin10_elQueAnda/cttscript/Individual Scripts/block-eos.ps1

    • Size

      287B

    • MD5

      3541079f602c74abea286f90fa8d755d

    • SHA1

      df2521cd6a44e656365a2a7564d5277539fb86e9

    • SHA256

      d7c476bcda256448d7f7fbbce49f5faa93318886388fcc41f28ff19cb6fa9eb9

    • SHA512

      eab99d0bd89b9a9216b030aed4a62a04d0c82946e7fb50aa9557af1019bb7c16f8ffbaf90d5b594ff9e3cfd43374190996ae0500d728dc1c038f8c50d40cd7ea

    Score
    8/10

    • Blocklisted process makes network request

    • Drops file in Drivers directory

    behavioral15behavioral16

    • Target

      ChrisTitusTech_debloatWin10_elQueAnda/cttscript/Individual Scripts/robocopy.ps1

    • Size

      161B

    • MD5

      e07e4d18c1e182d942be4c38cc3d5eca

    • SHA1

      05e11619920174a97aa5ca42d4fc3b7807f64ad9

    • SHA256

      4258b0781b453981346ba07316886f4f2b990420608b97e84ae3c446d797c8eb

    • SHA512

      26c772fb1ca6b936ffa4a3715e72732620961e5cf62ff69f1cbc423ed341cecec714f7d5060602b5aa883337cad24eefa19f44cf0fb1436e7ef4b2a975c02b7d

    Score
    1/10
    behavioral17behavioral18

    • Target

      ChrisTitusTech_debloatWin10_elQueAnda/cttscript/Individual Scripts/spotlightimageextractor.cmd

    • Size

      1011B

    • MD5

      6cb60c9430cb6d8e10b310926c58bcbf

    • SHA1

      892675ac0aeba3bb4f6c47ed5c02530500dbe221

    • SHA256

      0eec5b166b18faefcd394d13a6ebce3cd12e48f70f6433c8e3d981432dcb7774

    • SHA512

      af040775812d9daccb99aeca0eccd3b9cae093d508a476518b39186a7992086e0609fe4afefb849cca530f5453d6fd74949fa4264eeec44f3e41ede231bd1916

    Score
    1/10
    behavioral19behavioral20

    • Target

      ChrisTitusTech_debloatWin10_elQueAnda/cttscript/old-win10debloat.ps1

    • Size

      139KB

    • MD5

      6aae27b2a94495f2ed0929f3233651bd

    • SHA1

      d8aa7f36f87974ddf0b084f83889dbaae411d779

    • SHA256

      604fe04679b88145c7472ada92307d1d49630a9b456ef891f2f85edb661e80a2

    • SHA512

      4d274188605057035c6ab1f3db3df81ce25b1842978d889cb24be44b99c171861757ea7037db1098b828ab54527e81607f9a1ae09a9b5baa5e5dc2503c587552

    • SSDEEP

      1536:QzJ8q2sNbHcKARUvCXZB81M7Gx6puQMu2:g8ovCBpuQMu2

    Score
    10/10
    discoveryevasionransomware

    • Modifies visibility of file extensions in Explorer

      evasion

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Modifies file permissions

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral21behavioral22

MITRE ATT&CK Enterprise v6

Tasks